Connect with us

Hi, what are you looking for?



InnfiRAT Targets Personal Data, Cryptocurrency Wallets

A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.

A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.

Dubbed InnfiRAT and written in .NET, the malware can not only gather sensitive information from the compromised machines, but was also designed to download additional payloads onto them.

When run, the malware first checks whether it is executed from %AppData% with the name NvidiaDriver.exe and sends a request to “iplogger[.]com/1HEt47″ if not, likely in an attempt to check for network connectivity.

Next, it records all running processes and checks whether any of them are running with the name NvidiaDriver.exe. If it finds a match, it kills that process, Zscaler explains.

Next, the malware copies itself to %AppData%/NvidiaDriver.exe and executes from there before terminating the current process. After the path of file execution has been confirmed, it writes a Base64 encoded PE file in memory – a .NET executable that contains the actual functionality of the malware.

InnfiRAT performs multiple checks to detect the presence of a virtual machine, then obtains the country and HWID information of the machine it is running on.

Moreover, it obtains a list of all the processes running on the system to determine whether certain tools used for malware analysis are present, and terminates its process if any match is found. The threat also kills a series of browser-related processes.

Advertisement. Scroll to continue reading.

Based on commands received from the command and control (C&C) server, the malware can perform a variety of tasks specific to backdoors.

Thus, it can download and execute files, collect network data (including geolocation), steal browser cookies, steal Bitcoin wallets, exfiltrate text files that might contain sensitive information, list running processes, kill specific processes, take a screenshot, execute a specified command, and clear browser cookies.

“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source,” the Zscaler researchers conclude.

Related: ‘Saefko’ Multi-Layered RAT Can Spread via USB Drives

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...