A new malware, dubbed InnfiRAT, has been found over the past several days that specializes in the theft of cryptocurrency-related data. The new malware includes multiple standard trojan capabilities but specifically lurks on infected systems in the quest for cryptocurrency wallet credentials. The malware is spread through the use of email phishing campaigns containing malicious attachments. Once it infects a vulnerable machine, the malware copies itself and hides in the AppData directory before writing a Base 64-encoded PE file in the memory to execute the primary function of the Trojan. InnfiRAT first searches for a sandbox environment, a common environment used to reverse engineer malware samples, and if found the malware self terminates. If normal operations are found then InnfiRAT begins communicating with system data, such as the location of the machine, processor type, PC vendor and name, to its command and control (C&C) server and awaits further instructions. Among the instructions sent back is the command to list all running processes on the infected system. The malware has the capability to deploy additional malicious payloads, steal files and grab browser cookies to harvest stored username and password credentials. In the hunt for cryptocurrency, InnfiRAT will scan for information relating to cryptocurrency including Bitcoin and Litecoin wallets and if found, will siphon existing data that can be used to compromise these wallets and potentially steal virtual funds.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in