Kaspersky cybersecurity experts: The North Korea APT’s malware, a backdoor, moves laterally through infected networks and extracts confidential information.
Zscaler ThreatLabZ team: Cybercrime is spreading a new RAT, called InnfiRAT, which is written in .NET and designed to target cryptocurrency
Cybercrime is spreading a new RAT, called InnfiRAT, which is written in .NET and designed to target cryptocurrency. It has been discovered by Zscaler ThreatLabZ team cyber security experts. The malware looks for digital currency wallet information, such as Bitcoin and Litecoin. It also grabs browser cookies to steal stored usernames and passwords, as well as session data. In addition, this RAT has ScreenShot functionality so it can grab information from open windows. For example, if the user is reading email, the malware takes a screenshot. It also checks for other applications running on the system, such as an active antivirus program. InnfiRAT sends the data it has collected to its command-and-control (C&C) server and requests further instructions. The C&C can also instruct the malware to download additional payloads onto the infected system.
How the infection chain works according to the cyber security experts
According to the cyber security experts, the malware initially checks whether the file is executing from %AppData% directory or not with the name NvidiaDriver.exe. If not, then a web request is sent to “iplogger[.]com/1HEt47″ (possibly to check network connectivity). Then InnfiRAT records all the running processes in an array, then iterates through each process and checks whether any process is running with the name NvidiaDriver.exe. If so, the malware kills that process and waits for an exit. The malicious code copies itself as %AppData%/NvidiaDriver.exe and executes it from %AppData% before terminating the current process. Finally, after confirming the path of file execution, it writes a Base64 encoded PE file in memory, which is later decoded in its actual format and is loaded after changing the entry point of the file. This is also a .NET executable and contains the actual functionality of the malware.