InnfiRAT is a .NET-based remote access trojan primarily targeting cryptocurrency wallet data and related financial information. Zscaler ThreatLabZ team came across a this new RAT and called it InnfiRAT.
At the time of publication, it is unclear how InnfiRAT is delivered, although there are unconfirmed reports indicating it is distributed via spam or phishing campaigns.
When executed, InnfiRAT will check if it is running from the %AppData% folder with the name NvidiaDriver.exe, and will copy itself to the correct folder before terminating any conflicting processes if it is not. It will then check for the presence of several virtualisation processes, terminating itself if any are detected, before installing its primary modules.
Once installed, InnfiRAT will collect system information and send it to a command and control server. It will then attempt to extract credentials from a hard-coded list of cryptocurrency wallets, as well as any TXT files below a certain limit. InnfiRAT can also extract user information from web browsers, take screenshots, monitor keystrokes, and install secondary payloads.
Further details can be found here – https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more
Indicators of Compromise