In the researcher’s blog post, InnfiRAT was described as a .NET malware. This helps the virus escape antivirus as it looks for isolate antivirus testing computers. Once, it reaches its target, the malware executes various predefined action to steal personal information and any info on the user cryptocurrency.
What the virus does upon entering the user’s system?
The first time the malware does is share the user device information with its command and control (C&C) server. After which it receives further instructions. It usually shares the following details – Device ID, serial number, device manufacturer, Processor ID, number of cores, number of logical processors, etc. The malware collects this info through RAT’s anti-VM checks. In addition, the malware also collects browser cookies to get access to user saved login credentials. It also takes screenshots of user’s activities and kills any process that can affect it such as antivirus. Some of the predefined processes include killing existing process such as task manager, Process hacker, chrome, firefox, etc. It executes these scheduled processes through a CMD command and routinely sent the user’s data to the C&C server. However, the main function of the malware is to collect cryptocurrency data. It does so by looking for “%AppData%\Litecoin\wallet.dat” or “%AppData%\Bitcoin\wallet.dat” files in the system. Once found, the information is sent to the server, and the hacker steals your cryptocurrency.
How to Stay Safe from the Malware?
Well, InnfiRat is a rat, and it enters your system through phishing emails or unauthorized apps. Hence, stay out of any potential mails and apps. Your data will be just fine.