Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

InnoSetup (Trojan) – Malware

December 4, 2024
Reading Time: 3 mins read
in Malware
InnoSetup (Trojan) – Malware

InnoSetup

Type of Malware

Dropper

Country of Origin

Unknown

Date of Initial Activity

Unknown

Motivation

Financial Gain

Associated Groups

Unknown

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

The recent discovery of a sophisticated new malware variant utilizing the InnoSetup installer framework has raised significant concerns in the cybersecurity community. This malware, identified by AhnLab Security Intelligence Center (ASEC) and referred to as “InnoLoader,” represents a notable evolution in how threat actors distribute and execute malicious software. Unlike conventional malware, which typically launches its payload immediately upon execution, InnoLoader cunningly masquerades as legitimate software, displaying a familiar installation interface. The true danger lies beneath the surface, as the malware’s harmful activities are triggered only when users interact with the installation process by clicking specific buttons. What sets InnoLoader apart is its innovative distribution mechanism. Rather than relying on pre-made malware samples, the malware dynamically creates a unique instance each time a user initiates a download. This means that every download produces a version of the malware with a different hash value but identical functionality, significantly complicating efforts to track and block it. By generating a fresh sample for each download attempt, the threat actors behind InnoLoader are effectively evading traditional detection methods, making it increasingly difficult for security teams to respond swiftly and effectively to its spread.

Targets

Individuals.

How they operate

Upon execution, the malware displays a typical installation interface, luring the user into believing that they are installing legitimate software. The malicious behaviors are triggered only when the user interacts with the installer by clicking through the prompts. The malware connects to a command and control (C2) server, where it sends information about the system and receives commands that dictate its next steps. Depending on the C2 response, the malware can download and execute various payloads, including infostealers, proxy tools, and clickers disguised as security plugins. A key aspect of the malware’s operation is its ability to dynamically alter its behavior based on the C2 server’s instructions. For example, if the C2 server responds with an “ok” message, the malware proceeds to download and execute additional files from URLs provided by the server. These files can range from harmless applications, like the Opera browser, to highly malicious payloads, such as the StealC infostealer, which harvests sensitive information like passwords, cryptocurrency wallet credentials, and FTP login details. The malware is also designed to hinder analysis and detection. In cases where the C2 server returns a “no” response, the installation process terminates without executing any malicious actions, making it difficult for researchers to capture and study the malware in controlled environments. Additionally, the malware’s use of unique download URLs and hash values for each instance further complicates forensic analysis. This complex and adaptive behavior, combined with its use of the InnoSetup framework, makes this malware a formidable threat that requires vigilant cybersecurity measures to detect and mitigate.

MITRE Tactics and Techniques

Execution
T1059.001 – Command and Scripting Interpreter: PowerShell InnoLoader executes scripts, such as a malicious BAT file, using the msiexec command. This file subsequently downloads and runs other malicious components.
Defense Evasion
T1027 – Obfuscated Files or Information The malware uses obfuscation techniques in its scripts and downloaded components to evade detection and analysis. It may also download legitimate software to disguise its malicious activities.
Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder To maintain persistence, InnoLoader can copy itself to the ProgramData directory and create a shortcut in the Startup folder, ensuring it runs every time the system starts.
Command and Control
T1071.001 – Application Layer Protocol: Web Protocols InnoLoader communicates with a C2 server using web protocols. The server’s response determines the malware’s behavior, such as whether to download additional malicious components.
Collection
T1119 – Automated Collection The malware can collect sensitive information, such as passwords and application login data, which is then exfiltrated to the C2 server.
Exfiltration
T1041 – Exfiltration Over C2 Channel Exfiltrated data, including stolen credentials and other sensitive information, is sent back to the C2 server via established communication channels.
Discovery
T1082 – System Information Discovery InnoLoader performs system reconnaissance to gather information about the infected system, which is then sent to the C2 server to inform further actions.
References:
  • New InnoSetup Malware Created Upon Each Download Attempt
Tags: AhnLabASECCybersecuritydropperInnoLoaderInnoSetupMalwarePhishingThreatsURLWindows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial