The use of malware to steal vital information is not a new concept in the world today. However, it seems that this sub-culture of malware producers are constantly sharpening their swords, making them more adapted to survive in the victim’s device.
The latest on the book is one malware dubbed InnfiRAT that is specifically designed to wait in the dark and steal your cryptocurrency funds and other vital information. Discovered by the research team at Zscaler ThreatlabZ, InnfiRAT tends to display some characters more adapted than what we have seen before.
For starters, this malware is adapted enough to take a screenshot of your device without your knowledge. So, you could be reading an email or logging into a site and the rat comes to snitch on you.
Some other functions which it performs include downloading files from specified URLs, collecting personal information (such as your IP address and location, including country, postal address, region, and city), collecting a list of your downloads, stealing the cookie information of designated browsers (especially Opera Mini, Chrome, and Firefox), stealing vital information about your crypto wallets – Bitcoin(BTC)trade and Litecoin (LTC)trade precisely – stealing custom files, getting the list of running processes, killing designated processes (antivirus and others), and running specific commands.
How the Malware Works
Like most malware, InnfiRAT enters a victim’s device via app downloads or links. Upon downloading an infected app or clicking on an infected link, the malware finds its way straight into your device and lurk around in the dark – I mean, you wouldn’t see it there, but it is somewhere in the app.
Once inside the victim’s device, the malware is said to replicate itself and then writes a Base64 encoded PE file to help it begin the process.
But first, it looks around for any operating antivirus and turns it off. It also searches for any sandbox environment used to detect reverse-engineering malware. If found, it simply terminates its operation in the device. Otherwise, it continues with whatever tasks the controller has commanded it to perform.
For crypto-specific tasks, the malware first search for the type of crypto wallet present – Bitcoin or Litecoin. Then, it copies existing information about the wallet and empties the wallet to the addresses set by the controllers backdoor. It is so adapted for the tasks that you wouldn’t know anything is going on until it finishes its operation.
There are more like this being produced everyday. Let’s be extra careful of the sources we download an app from and the links we click on.