The InnfiRAT Malware is a newly discovered threat which includes a sophisticated cryptocurrency theft module. It is written using the .NET framework and targets Windows machines in particular.
Cryptocurrency Holders Under Attack By The InnfiRAT Malware
Security researchers have discovered a new attack campaign carrying a threat called InnfiRAT malware. It is being distributed by an unknown hacking collective, given the fact that the infiltrations are rated as advanced we anticipate that they are very experienced. The malware can be spread using numerous methods such as the following:
- Phishing Strategies — The criminals can send out email messages and orchestrate web sites that impersonate web services and companies. Whenever they are interacted with them the respective malware will be deployed.
- Payload Carriers — The virus installation code can be placed in app installers or documents (as scripts). Another example is the creation of plugins for the most popular web browsers.
In one of the captured samples the analysts have identified that the malicious code is found in a fake NVIDIA driver setup file. When run the relevant sequence will be run. It begins with a file check that seeks whether or not the malware app is run from a predesignated location. It will be used to infiltrate the system and deploy them in system locations to make it more difficult to detect. After the file has been placed in its respective location it will decode the main engine and start it. What’s particularly interesting about it is that it is encrypted.
At the start of the virus deployment one of the first steps it does is the launch of a security bypass. It will start to analyse the memory and hard disk contents and find out if there are any running security applications or services that can block the proper virus infection: virtual machine hosts, sandbox environments, anti-virus programs, firewalls and intrusion detection systems.
If none of these are found on a given system the infection will continue. The next step in the infection process is the information gathering — it will extract a long list of machine information and user data. The list of hardware information that is acquired is the following:
device manufacturer, caption, name, processor identity information, number of cores, L2 cache size, L3 cache size and socket designation.
In addition data about the network status and geolocation information is also hijacked: the IP address of the host system, as well as city, region, country, postal code. If the machine is part of an organization or company that will also be displayed. The next step will be to start a Trojan module which will establish a secure connection to a hacker-controlled server and allow the criminal controllers to hijack their machines.
InnfiRAT Malware Trojan Operations
The Trojan operations include the ability to inject into the most popular web browsers and hijack their operations, as well as kill them:
- Google Chrome
- Generic Browser
- Mozilla Firefox
- Opera
- Amigo
- Kometa
- Torch
- Orbitum
The Trojan operations allow the remote attackers to spy on the victims in real-time and kill the browser windows. The stealing of browser cookies and the history allows the criminals to check whether or not the computer users use cryptocurrency in any way: storing, transfer and other activities.
It can also check the memory for any running processes and create new wallets in the respective applications. The apps will create wallets in them and set them as default. This means that the operations that are done by the users will usually affect them. All user interaction can also be redirected to this wallet. As a consequence the victims will not be aware that any money transfers directed to them will be handed over to the hackers.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: