New Bitcoin Wallet-Focused Trojan Uncovered by Security Researchers

A new Remote Access Trojan (RAT) malware that steals Bitcoin (BTC) wallet data has been discovered by security researchers, according to a Sept. 12 report from Zscaler ThreatLabZ.  

The RAT, dubbed InnfiRAT, is designed to perform a wide range of tasks on the infected machines, including specifically seeking out Bitcoin and Litecoin (LTC) wallet data.

A multi-pronged attack on infected systems

As the researchers note, InnfiRAT is written in .NET, a software framework developed by Microsoft and used to develop a wide range of applications. 

The malware is designed to access and steals personal data stored on victims’ computers — grabbing browser cookies to steal stored usernames and passwords, as well as session data. It can also take screenshots to steal information from open windows and scour the system for other running applications to target.

Once collected, the data is sent to a command-and-control (C&C) server, requesting further instructions, which can include downloading additional payloads onto the infected system. 

Zscaler ThreatLabZ details how the RAT is designed to retrieve Bitcoin wallet data as follows:

“The malware creates an empty list of the BitcoinWallet type where BitcoinWallet has two keys, namely:

‘WalletArray’

‘WalletName’

A check is performed to see if a file for a Litecoin or Bitcoin wallet is present in the system at the following location:

Litecoin: %AppData%\Litecoin\wallet.dat

Bitcoin: %AppData%\Bitcoin\wallet.dat

If it is found, then the element of type BitcoinWallet is added to the list after assigning a name to the WalletName key and reading the corresponding wallet file in the WalletArray key.

Finally, the created list is sent in response to the C&C server.”

Caution against untrusted sources

In conclusion, the security researchers warn of the prevalence of RATs such as InnfiRAT, which can be designed to not only to access and steal confidential data but also to log keystrokes, activate a system's webcam, format drives and spread to other systems on a given network.

They note that systems are usually infected by a RAT by downloading infected applications or email attachments, warning users not to download programs or open attachments from unknown sources.

As reported this summer, Zscaler ThreatLabZ had previously published its discovery of another RAT called Saefko, also written in .NET and designed to retrieve browser history and look for activities including cryptocurrency transactions.

Ransomware Gangs Are Teaming Up to Form Cartel-Style Structures   June 9, 2020
Maze Ransomware Group Hacks Two Plastic Surgeons   May 6, 2020
Coinbase Moves $5 Billion, Reports Largest Crypto Transfer on Record   Dec. 20, 2018
Citrix Survey: More Than Half of UK Companies Hit by Cryptojacking Malware at Some Point   Aug. 15, 2018
Bobby Lee, ‘BTC Maximalist’: Bitcoin’s Value Is in the Eye of the Beholder   June 21, 2018