- A new malware called InnfiRAT, that targets cryptocurrency wallet information and browser cookie data has been discovered.
- This malware also has the capability of taking screenshots of the page accessed on the infected computer.
Details of the discovery
Cybersecurity firm Zscaler has published a report on the discovery of a new malware dubbed InnfiRAT written in .NET.
- This malware scans the infected systems for cryptocurrency wallets such as Bitcoin and Litecoin, and browser cookie information such as username, password, and session data.
- InnfiRAT comes with the capabilities of taking screenshots of pages accessed on the compromised devices and terminating certain antivirus programs.
- The collected data is sent to the command and control server, following which additional malware may be installed depending on server instructions.
How does the attack happen?
Prior to executing the RAT’s main payload, it first checks if the file is executing with the name ‘NvidiaDriver.exe’ from the %AppData% directory.
- Then it possibly checks for network connection by sending a request to ‘iplogger[.]com/1HEt47’.
- InnfiRAT kills any process running with the name ‘NvidiaDriver.exe’ and makes a copy of itself in the AppData directory.
- It writes a Base64 encoded PE file to initiate the execution of its main payload.
- When the execution begins, it checks for the presence of a virtualized sandbox that researchers can use to analyze the attack. In the case that there is no such sandbox, it contacts its command and control server.
- It may deploy additional payloads to harvest sensitive browser cookie information, take screenshots of sensitive pages, and abort antivirus programs.
- Bitcoin and Litecoin wallets are scanned for, and an attempt is made to steal the funds.
“Because RATs are usually downloaded as a result of a user opening an email attachment or downloading an application that has been infected, the first line of defense is often the users who must, as always, refrain from downloading programs or opening attachments that aren't from a trusted source,” say Zscaler researchers.
They have also published the Indicators of Compromise (IOCs) that you can monitor to safeguard your systems.