Cybercriminals have more and more turned to respectable software program set up frameworks as automobiles for malware distribution, with Inno Setup rising as a most well-liked device for menace actors in search of to bypass safety measures.
This respectable Home windows installer framework, initially designed to simplify software program deployment, has develop into a classy supply mechanism for information-stealing malware campaigns that focus on browser credentials and cryptocurrency wallets.
The malicious marketing campaign exploits Inno Setup’s Pascal scripting capabilities to create seemingly respectable software program installers that conceal multi-stage malware payloads.
Malicious Inno-Setup Loader Marketing campaign (Supply – Splunk)
These weaponized installers masquerade as respectable purposes whereas executing complicated an infection chains that finally deploy RedLine Stealer, a broadly distributed information-stealing malware recognized for harvesting delicate information from compromised techniques.
Current evaluation by Splunk researchers has recognized a classy assault chain that leverages a number of evasion strategies to keep away from detection by safety instruments and sandbox environments.
The marketing campaign demonstrates superior tradecraft, using XOR encryption, anti-analysis measures, and legit system instruments to keep up persistence and evade detection all through the an infection course of.
The assault vector represents a big evolution in malware distribution techniques, as menace actors abuse the inherent belief customers place in software program installers.
By leveraging respectable frameworks like Inno Setup, attackers can distribute malware by varied channels together with phishing campaigns, compromised software program repositories, and malicious commercials with out triggering quick suspicion from customers or safety techniques.
Superior Evasion and Persistence Mechanisms
The malware’s subtle evasion technique begins with its Pascal script implementation, which makes use of XOR encryption to obfuscate important strings and instructions.
Upon execution, the installer performs complete atmosphere evaluation utilizing Home windows Administration Instrumentation (WMI) queries, particularly executing Choose * From Win32_Process the place Title= to establish processes related to malware evaluation instruments.
If evaluation instruments are detected, the installer instantly terminates to keep away from investigation.
HijackLoader and FinalPayload Decryption Routine (Supply – Splunk)
The marketing campaign employs a number of layers of sandbox evasion, together with filename sample matching and system profiling.
The malware checks for particular substrings within the installer’s filename, equivalent to “application_stable_release,” earlier than continuing with payload supply.
Moreover, it executes WMI queries like SELECT * FROM Win32_Processor and SELECT * FROM Win32_ComputerSystem to collect system data and establish digital machine environments generally used for malware evaluation.
For persistence, the malware creates hidden scheduled duties utilizing the command schtasks /Create /xml %temppercentlang WhatsAppSyncTaskMachineCore /f.
The payload is extracted to %APPDATApercentRoamingcontrolExplore and configured to execute mechanically upon system reboot.
The an infection chain culminates with DLL side-loading, the place a respectable software (ScoreFeedbackTool.exe) hundreds a trojanized QtGuid4.dll, which then decrypts and executes the HijackLoader element that finally deploys RedLine Stealer right into a spawned MSBuild.exe course of, successfully hiding the malicious payload inside a respectable Home windows growth device.
Examine stay malware conduct, hint each step of an assault, and make quicker, smarter safety choices -> Attempt ANY.RUN now
