A new malware, dubbed InnfiRAT, has been found over the past several days that specializes in the theft of cryptocurrency-related data. The new malware includes multiple standard trojan capabilities but specifically lurks on infected systems in the quest for cryptocurrency wallet credentials. The malware is spread through the use of email phishing campaigns containing malicious attachments. Once it infects a vulnerable machine, the malware copies itself and hides in the AppData directory before writing a Base 64-encoded PE file in the memory to execute the primary function of the Trojan. InnfiRAT first searches for a sandbox environment, a common environment used to reverse engineer malware samples, and if found the malware self terminates. If normal operations are found then InnfiRAT begins communicating with system data, such as the location of the machine, processor type, PC vendor and name, to its command and control (C&C) server and awaits further instructions. Among the instructions sent back is the command to list all running processes on the infected system. The malware has the capability to deploy additional malicious payloads, steal files and grab browser cookies to harvest stored username and password credentials. In the hunt for cryptocurrency, InnfiRAT will scan for information relating to cryptocurrency including Bitcoin and Litecoin wallets and if found, will siphon existing data that can be used to compromise these wallets and potentially steal virtual funds.
Analyst Notes
Users should always employ a zero-trust policy when dealing with any email that looks suspicious. Suspicious looking emails should be immediately deleted and not opened for any reason. A solid antivirus and malware detection program should be installed on all systems and set to auto-update so that it has the newest information possible. Lastly, there are multiple styles of cryptocurrency wallets available. The hardest one for hackers to attack is the cold wallet. A cold walled is hardware based, such as a simple USB flash drive, that has no internet connection until it is plugged into a computer. These can also be password or private key protected.
