A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.
Dubbed InnfiRAT and written in .NET, the malware can not only gather sensitive information from the compromised machines, but was also designed to download additional payloads onto them.
When run, the malware first checks whether it is executed from %AppData% with the name NvidiaDriver.exe and sends a request to “iplogger[.]com/1HEt47″ if not, likely in an attempt to check for network connectivity.
Next, it records all running processes and checks whether any of them are running with the name NvidiaDriver.exe. If it finds a match, it kills that process, Zscaler explains.
Next, the malware copies itself to %AppData%/NvidiaDriver.exe and executes from there before terminating the current process. After the path of file execution has been confirmed, it writes a Base64 encoded PE file in memory – a .NET executable that contains the actual functionality of the malware.
InnfiRAT performs multiple checks to detect the presence of a virtual machine, then obtains the country and HWID information of the machine it is running on.
Moreover, it obtains a list of all the processes running on the system to determine whether certain tools used for malware analysis are present, and terminates its process if any match is found. The threat also kills a series of browser-related processes.
Based on commands received from the command and control (C&C) server, the malware can perform a variety of tasks specific to backdoors.
Thus, it can download and execute files, collect network data (including geolocation), steal browser cookies, steal Bitcoin wallets, exfiltrate text files that might contain sensitive information, list running processes, kill specific processes, take a screenshot, execute a specified command, and clear browser cookies.
“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source,” the Zscaler researchers conclude.
Related: ‘Saefko’ Multi-Layered RAT Can Spread via USB Drives
Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector
Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs
More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
