LTS Secure Warning: InnfiRAT Malware Aims At Stealing Victim’s Cryptocurrency Information And More

Researchers have identified a new piece of malware dubbed InnfiRAT, written in .NET and is designed with the purpose of accessing & stealing personal information from victim’s computer. However, the malwares top priority is to look for crypto wallet information, such as Bitcion & Litecoin.

Technical Details

Infection Process of InnfiRAT Malware:-

• Before executing the main payload, the malware checks whether a file named ‘NvidiaDriver.exe‘ is being executed from %AppData% directory or not.
• If yes,the malware will terminate that process & copies itself in the ‘Appdata‘ directory.
• If not, it checks for network connectivity by sending request to ‘iplogger[.]com/1HEt47‘.
• After confirming the path of file execution, it writes a Base64 encoded PE file to trigger the execution of its main payload.
• As the execution starts, the malware checks for the presence of sandbox environment, which if found, terminates the process.
• If no such environment if found, then malware establishes a connection to its C&C server to receive further instruction.

Impact

• Capture cryptowallet credentials.
• Take screenshots of desktop.
• Terminates programs.
• Steal sensitive/confidential information like login credentials of banking sites, cookies, etc.
• Download additional payloads.

Recommended Actions

• Try to avoid downloading and using any Freeware application.
• Software restriction policies should be in place along with application whitelisting.
• Never download any suspicious attachments or click on any shady-looking link.Take an effort to educate your users on how to identify a mal-spam.
• Always update your anti-virus software with the latest releases.
• Periodically run “full system scan” on your endpoints.
• Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.