Remote Access Trojans (RATs) are among the most versatile tools in the arsenal of cybercriminals. They are loaded with tons of features usually and provide their operators with the ability to take complete control over the victim’s machine. In addition to this, they also support modules to execute specific operations that allow the attacker to collect particular files or data from the infected machine. InnfiRAT is one of the new RAT projects to be spotted in the wild, and it appears to have special modules dedicated to collecting cryptocurrency wallets and cookies from the victim’s machine. Of course, it also packs many of the other features you would expect to see in a Remote Access Trojan.

InnfiRAT may be a Private Hacking Tool

Often, software like this is being sold on hacking forums, but we are yet to encounter any advertisements promoting InnfiRAT’s features. This may mean that the project is meant to be used privately, by just one group of criminals. Regardless of their plans, it is clear that InnfiRAT is an advanced project that has modules dedicated to evading anti-virus engines, sandboxes and malware analysis tools. Upon execution, it will perform a series of checks to ensure that it is not being run in a controlled environment. Furthermore, it looks for the process names used by specific malware analysis tools and terminates them. Last but not least, it plants its files in the %APPDATA% folder and disguises itself as ‘NvidiaDriver.exe.’

Attackers may Try to Collect Files Containing Information

If the attack goes without a hitch, InnfiRAT will connect to the control server and wait for the attacker’s commands. The version of InnfiRAT seen in the wild appears to support a wide range of commands that would enable the attackers to execute the following tasks:

  • Download and run files from the Internet.
  • Collect a system fingerprint (hardware, software, network configuration, workgroup, etc.).
  • Collect cookies from popular Web browsers (Orbitum, Yandex, Opera, Mozilla, Chrome, Kometa, Amigo, Torch and others).
  • Scan the ‘Desktop’ folder for ‘.txt’ files that are under 2MB in size and transfer them to the attacker’s server.
  • Enumerate running processes and allow the attacker to kill them at will.
  • Collectl ‘.wallet’ files associated with Bitcoin and Litecoin wallets.
  • Take screenshots of the desktop or currently active window, and send it to the control server.
  • Use the Windows Command Prompt to execute commands.

There is no reliable information about the infection vectors that the authors of the InnfiRAT may use to spread their threatening application. It is recommended to stay away from shady websites, pirated media and software, email attachments from unknown senders and downloads from unknown websites. Furthermore, you should protect your computer by running an up-to-date version of a reputable anti-virus software suite.


Most Viewed