Zscaler experts have published a report on the InnfiRAT malware, which specializes in stealing cryptocurrency and steals data from Litecoin and Bitcoin wallets.Information security specialists first noticed this malware in 2017, but only now, researchers have subjected it to a detailed analysis. This .NET-written threat is known to spread through phishing emails containing malicious attachments or links to downloaded files.
Having penetrated the victim’s machine, InnfiRAT copies itself to %AppData% under the mask of NvidiaDriver.exe, and then puts the PE file (Base64) in the memory, which is decoded into the binary directly involved in malicious activity. The system also creates a scheduled task for daily execution of the payload from the NvidiaDriver.exe file (in case of detection and elimination of infection).
Before starting work, the Trojan checks whether it is running in the sandbox and on the virtual machine. If everything is in order, the Trojan determines the HWID of the machine and the user’s country of residence. This data is transferred to the management server, and the Malware waits for further instructions.
Malicious operators may order InnfiRAT to search for certain processes and terminate them, including the Chrome, Yandex, Kometa, Amigo, Torch, Orbitum, Opera, and Mozilla browsers. Obviously, this is done in order to unlock user profiles and simplify data collection. In addition, the malware detects monitoring tools such as Taskmgr, Process Hacker, Process Explorer and Process Monitor, and also terminates their work.
InnfiRAT is able to use additional payloads, steal files and capture browser cookies to collect stored credentials.
“In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program”, — say Zscaler specialists.
However, the main goal of the Malvare remains cryptocurrency, including Bitcoin and Litecoin. In search of wallets and wallet.dat files, the Trojan scans %AppData%\Litecoin\ and %AppData%\Bitcoin\ and immediately transfers all the information it finds to the management server.
In addition to the above, InnfiRAT operators can also send their malvari the following commands:
- SendUrlAndExecute(string URL) – download the file from the specified URL and execute it;
- ProfileInfo() – collect and filter information about the network, location and equipment;
- LoadLogs() – write files to specific folders;
- LoadProcesses() – get a list of running processes and transfer to a remote server;
- Kill(int process) – eliminate a specific process on the victim’s computer;
- RunCommand(string command) – execute an arbitrary command on the victim’s computer;
- ClearCooks() – clear cookies for a specific browser.
How to protect yourself?
Because RATs are usually downloaded because of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren’t from a trusted source.
User Review( votes)