A newly discovered remote access Trojan can steal various types of data from the infected machines, including personal data and cryptocurrency wallet information, Zscaler security researchers warn.
Dubbed InnfiRAT and written in .NET, the malware can not only gather sensitive information from the compromised machines, but was also designed to download additional payloads onto them.
When run, the malware first checks whether it is executed from %AppData% with the name NvidiaDriver.exe and sends a request to “iplogger[.]com/1HEt47" if not, likely in an attempt to check for network connectivity.
Next, it records all running processes and checks whether any of them are running with the name NvidiaDriver.exe. If it finds a match, it kills that process, Zscaler explains.
Next, the malware copies itself to %AppData%/NvidiaDriver.exe and executes from there before terminating the current process. After the path of file execution has been confirmed, it writes a Base64 encoded PE file in memory – a .NET executable that contains the actual functionality of the malware.
InnfiRAT performs multiple checks to detect the presence of a virtual machine, then obtains the country and HWID information of the machine it is running on.
Moreover, it obtains a list of all the processes running on the system to determine whether certain tools used for malware analysis are present, and terminates its process if any match is found. The threat also kills a series of browser-related processes.
Based on commands received from the command and control (C&C) server, the malware can perform a variety of tasks specific to backdoors.
Thus, it can download and execute files, collect network data (including geolocation), stea ..
Support the originator by clicking the read the rest link below.
