According to a Sept. 12 article from Zscaler ThreatLabZ, a fresh Remote Access Trojan (RAT) malware that steals Bitcoin (BTC) wallet information was found by safety scientists.
The RAT, named InnfiRAT, is intended to conduct a variety of functions on infected computers, including specifically searching for wallet information from Bitcoin and Litecoin (LTC). Multiple attacks on infected devices As the scientists notice, InnfiRAT is published in.NET, a Microsoft-developed software framework used to create a broad variety of apps. The malware is intended to access and rob private information stored on victim’s PCs — collecting computer keys to steal usernames and passwords stored, as well as session information.
Screenshots can also be used to steal data from open windows and scan the system for targeting other operating apps. Once the information has been obtained, it is sent to a command-and-control (C&C) server seeking extra directions that may include downloading extra payloads to the infected device.
Zscaler ThreatLabZ explains how the RAT is intended to collect wallet information from Bitcoin as follows:
“The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely: ‘WalletArray’ ‘WalletName’ A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location: Litecoin: %AppData%\Litecoin\wallet.dat Bitcoin: %AppData%\Bitcoin\wallet.dat If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key. Finally, the created list is sent in response to the C&C server.”
Beware of untrusted sources. Data scientists warn of the incidence of RATs such as InnfiRAT, which can be intended not only for accessing and stealing private information, but also for logging keystrokes, activating the webcam of a system, formatting disks, and spreading to other network devices. They notice that by downloading infected apps or email attachments, warning consumers not to access programs or open attachments from unidentified sources, devices are generally infected with RAT. As stated this summer, Zscaler ThreatLabZ had earlier released another RAT study called Saefko, also written in.NET and intended to collect browser background and search for operations including cryptocurrency operations.