Researchers have documented the emergence of a new Trojan that specializes in the theft of cryptocurrency-related data.
Dubbed InnfiRAT, the malware includes many standard Trojan capabilities but will specifically lurk on infected systems in the quest for cryptocurrency wallet credentials.
In a blog post, cybersecurity firm zScaler said on Thursday that InnfiRAT, written in .NET, is likely spread through phishing emails containing malicious attachments or drive-by downloads.
Once it lands on a vulnerable machine, the malware will make a copy of itself and hide it in the AppData directory before writing a Base64 encoded PE file in memory to execute the main functionality of the Trojan.
InnfiRAT will first look for indicators of a sandbox environment, a common setup used by cybersecurity researchers when reverse-engineering malware samples. If found, the malware will terminate; if not, then the payload continues to execute.
System data, including the country of the machine, processor type, PC vendor, name, and cache size is scraped. InnfiRAT will then contact its command-and-control (C2) server, transfer the stolen machine information, and await further instructions.