InnfiRAT a new threat to Bitcoin and Crypto Wallets

InnfiRAT is a .NET-based remote access trojan primarily targeting cryptocurrency wallet data and related financial information. Zscaler ThreatLabZ team came across a this new RAT and called it InnfiRAT.

At the time of publication, it is unclear how InnfiRAT is delivered, although there are unconfirmed reports indicating it is distributed via spam or phishing campaigns.

When executed, InnfiRAT will check if it is running from the %AppData% folder with the name NvidiaDriver.exe, and will copy itself to the correct folder before terminating any conflicting processes if it is not. It will then check for the presence of several virtualisation processes, terminating itself if any are detected, before installing its primary modules.

Once installed, InnfiRAT will collect system information and send it to a command and control server. It will then attempt to extract credentials from a hard-coded list of cryptocurrency wallets, as well as any TXT files below a certain limit. InnfiRAT can also extract user information from web browsers, take screenshots, monitor keystrokes, and install secondary payloads.

Further details can be found here – https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more

Indicators of Compromise

URLs

  • gho[.]st/download/6yghkhzgm/84986b88fe9d7e3caf5183e4342e713adf6c3040/df3049723db33889ac49202cb3a2f21ac1b82d5b/peugeot.zip
  • tcp://62[.]210[.]142[.]219:17231/IVictim

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: