A remote access Trojan (RAT) dubbed InnfiRAT comes with extensive capabilities to steal sensitive information, including cryptocurrency wallet data. Zscaler’s ThreatLabZ team took a closer look at its inner workings, although the malware has been in the wild for a while.

The earliest this RAT was spotted is November 2017, according to security researcher James_inthe_box, but this is the first time it was analyzed more seriously.

InnfiRAT is a .NET malware the ThreatLabZ team found, with anti-VM and process checks designed to help it detect when it’s running in a sandboxed environment, typically used for malware analysis.

InnfiRAT will first look for indicators of a sandbox environment, a common setup used by cybersecurity researchers when reverse-engineering malware samples. If found, the malware will terminate; if not, then the payload continues to execute.

System data, including the country of the machine, processor type, PC vendor, name, and cache size is scraped. InnfiRAT will then contact its command-and-control (C2) server, transfer the stolen machine information, and await further instructions.

Among these instructions is the command to obtain a list of all running processes in an infected system, including those with the strings “chrome,” “browser,” “firefox,” and “opera.” The malware will terminate any that match.

Technical analysis

1) Before executing the main payload, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47″ (possibly to check network connectivity).

2) It records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit.

3) InnfiRAT copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process.

4) After confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.

InnfiRAT is an essential tool that can help cybercriminals to create income using misused information in various ways. Succinctly put, to avoid financial data loss, data fraud, having different accounts stolen and PC infected with other malware, and prevent different issues it is required to uninstall this RAT right away.

Cryptocurrency stays as a profitable channel for cybercriminals to produce an illegal profit, and InnfiRAT is just one of the numerous types of malware that presently include cryptocurrency-related robbery.

For more cybersecurity Information contact us at help@theweborion.com