InnfiRAT malware lurks in your machine to steal cryptocurrency wallet data

The new Trojan will also harvest information from open browser sessions.
Written by Charlie Osborne, Contributing Writer

Researchers have documented the emergence of a new Trojan that specializes in the theft of cryptocurrency-related data. 

Dubbed InnfiRAT, the malware includes many standard Trojan capabilities but will specifically lurk on infected systems in the quest for cryptocurrency wallet credentials. 

In a blog post, cybersecurity firm zScaler said on Thursday that InnfiRAT, written in .NET, is likely spread through phishing emails containing malicious attachments or drive-by downloads. 

See also: DanaBot banking Trojan jumps from Australia to Germany in quest for new targets

Once it lands on a vulnerable machine, the malware will make a copy of itself and hide it in the AppData directory before writing a Base64 encoded PE file in memory to execute the main functionality of the Trojan. 

InnfiRAT will first look for indicators of a sandbox environment, a common setup used by cybersecurity researchers when reverse-engineering malware samples. If found, the malware will terminate; if not, then the payload continues to execute. 

System data, including the country of the machine, processor type, PC vendor, name, and cache size is scraped. InnfiRAT will then contact its command-and-control (C2) server, transfer the stolen machine information, and await further instructions.

Among these instructions is the command to obtain a list of all running processes in an infected system, including those with the strings "chrome," "browser," "firefox," and "opera." The malware will terminate any that match. 

CNET: Spotify wants to know where you live and will be checking in

InnfiRAT can deploy additional malicious payloads, steal files, and grab browser cookies to harvest stored username and password credentials for online services. In addition, the Trojan can screenshot open sessions and shut down traditional antivirus processes.

In the quest for cryptocurrency, InnfiRAT will scan for information relating to cryptocurrency including Bitcoin (BTC) and Litecoin (LTC) wallets by checking for %AppData%\Litecoin\wallet.dat and %AppData%\Bitcoin\wallet.dat. If they are present, the malware will siphon existing data that can be used to compromise these wallets and potentially steal virtual funds. 

Cryptocurrency remains a lucrative channel for cybercriminals to generate illicit profit and InnfiRAT is only one of many forms of malware that now include cryptocurrency-related theft or exploit modules. 

TechRepublic: How data breaches are hurting small businesses

PsiXBot has recently been upgraded to include Google's DNS over HTTPS service, and once on a target machine, will monitor the clipboard for wallet credentials used to store Bitcoin, Etherium, Monero, and Ripple.

Another interesting form of cryptojacking malware, dubbed Bird Miner, emulates Linux on Mac machines while running XMRig. The malware harnesses the CPU power of victims to covertly mine Monero (XMR) and sends the proceeds to wallets controlled by its operators. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards