Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

InnfiRAT Targets Personal Data, Cryptocurrency Wallets

A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.

A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.

Dubbed InnfiRAT and written in .NET, the malware can not only gather sensitive information from the compromised machines, but was also designed to download additional payloads onto them.

When run, the malware first checks whether it is executed from %AppData% with the name NvidiaDriver.exe and sends a request to “iplogger[.]com/1HEt47″ if not, likely in an attempt to check for network connectivity.

Next, it records all running processes and checks whether any of them are running with the name NvidiaDriver.exe. If it finds a match, it kills that process, Zscaler explains.

Next, the malware copies itself to %AppData%/NvidiaDriver.exe and executes from there before terminating the current process. After the path of file execution has been confirmed, it writes a Base64 encoded PE file in memory – a .NET executable that contains the actual functionality of the malware.

InnfiRAT performs multiple checks to detect the presence of a virtual machine, then obtains the country and HWID information of the machine it is running on.

Moreover, it obtains a list of all the processes running on the system to determine whether certain tools used for malware analysis are present, and terminates its process if any match is found. The threat also kills a series of browser-related processes.

Based on commands received from the command and control (C&C) server, the malware can perform a variety of tasks specific to backdoors.

Advertisement. Scroll to continue reading.

Thus, it can download and execute files, collect network data (including geolocation), steal browser cookies, steal Bitcoin wallets, exfiltrate text files that might contain sensitive information, list running processes, kill specific processes, take a screenshot, execute a specified command, and clear browser cookies.

“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source,” the Zscaler researchers conclude.

Related: ‘Saefko’ Multi-Layered RAT Can Spread via USB Drives

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.