Let InnfiRAT In, and Your Passwords and Crypto Wallet Data May Be Stolen

You might think that stealing people's money over the internet isn't that hard. You just compromise some credit card details or some online banking credentials, and you're ready to go. The thing is, it's a bit more complicated than that.

Because there are so many cybercriminals out there, banks and financial institutions have taken the necessary precautions to ensure that their customers are better protected. The current anti-fraud mechanisms mean that while not impossible, stealing money online is a lot harder than it used to be, and the chances of getting caught are much more significant. This is why many crooks are more interested in cryptocurrency. Tracing transactions with digital coins is much more complicated, and stealing them is nowhere near as difficult. Here's how the operators of the new InnfiRAT malware do it.

InnfiRAT – a newcomer to an overcrowded market

InnfiRAT is a new Remote Access Trojan (or RAT, as the name suggests) that was recently discovered and analyzed by researchers from Zscaler. The malware was written in .NET, and it has a special affinity for cryptocurrency wallets, though, as we'll find out in a minute, its capabilities go far beyond that.

Unfortunately, Zscaler didn't give too much information on how the malware is being used. Apparently, they've seen it in the wild, but they said nothing about how big the campaign is and who it's aimed at. The report doesn't hold any details on how victims are infected, either, though if we have to guess, we'd probably say that InnfiRAT follows the example of other malware strains of this type and distributes itself with the help of spam emails. Thankfully, the researchers did include plenty of information on what InnfiRAT does once it finds itself on a victim's computer.

Stealth and detection-evasion techniques abound

As you'd expect, InnfiRAT comes with quite a few features designed to confuse security researchers and anti-malware products. When it runs for the first time, it copies itself as NvidiaDriver.exe in the %AppData% folder. It then writes a Base64-encoded portable executable file in memory, and it starts with a few checks to ensure that it's not running under the watchful eyes of reverse engineers.

The malware checks and double-checks different data about the device it's trying to infect in order to ensure that it hasn't been put on a virtual machine. Things like the name of the computer, the number of cores, and the number of logical processors are looked at, and if InnfiRAT finds certain keywords, it immediately terminates itself. Just in case, it's also designed to run through the list of processes and look for the Windows' Task Manager as well as a few other tools security professionals use regularly. If it determines that it's launched by a regular person on a regular PC, InnfiRAT continues with its operation.

It sends the victim's public IP, along with other information, back to the Command and Control (C&C) server. For reasons that are not completely clear, it then kills any running browser processes, and it goes on to establish persistence with the help of a scheduled task.

A multi-talented RAT

After the infection is complete, InnfiRAT waits for instructions from the C&C. As with any malware of this sort, the functionality is as varied as the commands the C&C sends.

When it comes to information theft, the focus is on cryptocurrency wallets and browser cookies. InnfiRAT is designed to look for the "Bitcoin" and "Litecoin" folders inside %AppData%. If it finds them, it copies the data from the wallet.dat file and sends it back to the C&C. The malware also steals browsing cookies from most popular browsers which can later be used for the compromise of entire online accounts.

In addition to cookies and cryptocurrency accounts, InnfiRAT can also steal text files that are smaller than 2MB, which may expose even more sensitive information. Speaking of which, the malware has the ability to kill processes which could let it disable the security products that might try to stop it. And once it does that, it can execute commands on the infected machine and download additional payloads, which means that the opportunities for an attack are more or less limitless.

InnfiRAT is still a new malware family, which means that it has a lot of room to evolve. Zscaler's researchers promised that they'll keep a close eye on it, and given how dangerous it is, it's safe to say that users should be a bit more careful as well.