A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.
Dubbed InnfiRAT and written in .NET, the malware can not only gather sensitive information from the compromised machines, but was also designed to download additional payloads onto them.
When run, the malware first checks whether it is executed from %AppData% with the name NvidiaDriver.exe and sends a request to “iplogger[.]com/1HEt47″ if not, likely in an attempt to check for network connectivity.
Next, it records all running processes and checks whether any of them are running with the name NvidiaDriver.exe. If it finds a match, it kills that process, Zscaler explains.
Next, the malware copies itself to %AppData%/NvidiaDriver.exe and executes from there before terminating the current process. After the path of file execution has been confirmed, it writes a Base64 encoded PE file in memory – a .NET executable that contains the actual functionality of the malware.
InnfiRAT performs multiple checks to detect the presence of a virtual machine, then obtains the country and HWID information of the machine it is running on.
Moreover, it obtains a list of all the processes running on the system to determine whether certain tools used for malware analysis are present, and terminates its process if any match is found. The threat also kills a series of browser-related processes.
Based on commands received from the command and control (C&C) server, the malware can perform a variety of tasks specific to backdoors.
Thus, it can download and execute files, collect network data (including geolocation), steal browser cookies, steal Bitcoin wallets, exfiltrate text files that might contain sensitive information, list running processes, kill specific processes, take a screenshot, execute a specified command, and clear browser cookies.
“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source,” the Zscaler researchers conclude.
Related: ‘Saefko’ Multi-Layered RAT Can Spread via USB Drives
Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector
Related: Researchers Analyze Vietnamese Hackers’ Suite of RATs