Zscaler experts published a report about Malvari InnfiRAT, which specializes in cryptocurrency theft.
For the first time this malware was seen Information security specialists back in 2017, but only now, researchers have subjected it to a detailed analysis. This .NET-written threat is known to spread through phishing emails containing malicious attachments or links to downloaded files.
Having penetrated the victim’s machine, InnfiRAT copies itself to% AppData% under the guise of NvidiaDriver.exe, and then puts a PE file (Base64) in the memory, which is decoded into the binary directly involved in malicious activity. The system also creates a scheduled task for daily execution of the payload from the NvidiaDriver.exe file (in case of detection and elimination of infection).
Before starting work, the trojan checks whether it is running in the sandbox and on the virtual machine. If everything is in order, the trojan determines the HWID of the machine and the user's country of residence. This data is transferred to the management server, and the Malware waits for further instructions.
Malicious operators may order InnfiRAT to search for certain processes and terminate them, including the Chrome, Yandex, Kometa, Amigo, Torch, Orbitum, Opera, and Mozilla browsers. Obviously, this is done in order to unlock user profiles and simplify data collection. In addition, the malware detects monitoring tools such as Taskmgr, Process Hacker, Process Explorer and Process Monitor, and also terminates their work.
InnfiRAT is able to use additional payloads, steal files and capture browser cookies to collect stored credentials. In addition, the trojan can take screenshots and complete the processes of anti-virus products. However, the main goal of the Malvari remains cryptocurrency, including Bitcoin and Litecoin. In search of wallets and wallet.dat files, the Trojan scans% AppData% Litecoin and% AppData% Bitcoin and immediately transfers all the information it finds to the management server.
In addition to the above, InnfiRAT operators can also send their malvari the following commands:
- SendUrlAndExecute (string URL) – download the file from the specified URL and execute it;
- ProfileInfo ()– collect and filter information about the network, location and equipment;
- Loadlogs () – write files to specific folders;
- Loadprocesses () – get a list of running processes and transfer to a remote server;
- Kill (int process) – eliminate a certain process on the victim’s computer;
- RunCommand (string command) – execute an arbitrary command on the victim's computer;
- ClearCooks () – clear cookies for a specific browser.