InnoSetup | |
Type of Malware | Dropper |
Country of Origin | Unknown |
Date of Initial Activity | Unknown |
Motivation | Financial Gain |
Associated Groups | Unknown |
Attack Vectors | Phishing |
Targeted Systems | Windows |
Overview
The recent discovery of a sophisticated new malware variant utilizing the InnoSetup installer framework has raised significant concerns in the cybersecurity community. This malware, identified by AhnLab Security Intelligence Center (ASEC) and referred to as “InnoLoader,” represents a notable evolution in how threat actors distribute and execute malicious software. Unlike conventional malware, which typically launches its payload immediately upon execution, InnoLoader cunningly masquerades as legitimate software, displaying a familiar installation interface. The true danger lies beneath the surface, as the malware’s harmful activities are triggered only when users interact with the installation process by clicking specific buttons.
What sets InnoLoader apart is its innovative distribution mechanism. Rather than relying on pre-made malware samples, the malware dynamically creates a unique instance each time a user initiates a download. This means that every download produces a version of the malware with a different hash value but identical functionality, significantly complicating efforts to track and block it. By generating a fresh sample for each download attempt, the threat actors behind InnoLoader are effectively evading traditional detection methods, making it increasingly difficult for security teams to respond swiftly and effectively to its spread.
Targets
Individuals.
How they operate
Upon execution, the malware displays a typical installation interface, luring the user into believing that they are installing legitimate software. The malicious behaviors are triggered only when the user interacts with the installer by clicking through the prompts. The malware connects to a command and control (C2) server, where it sends information about the system and receives commands that dictate its next steps. Depending on the C2 response, the malware can download and execute various payloads, including infostealers, proxy tools, and clickers disguised as security plugins.
A key aspect of the malware’s operation is its ability to dynamically alter its behavior based on the C2 server’s instructions. For example, if the C2 server responds with an “ok” message, the malware proceeds to download and execute additional files from URLs provided by the server. These files can range from harmless applications, like the Opera browser, to highly malicious payloads, such as the StealC infostealer, which harvests sensitive information like passwords, cryptocurrency wallet credentials, and FTP login details.
The malware is also designed to hinder analysis and detection. In cases where the C2 server returns a “no” response, the installation process terminates without executing any malicious actions, making it difficult for researchers to capture and study the malware in controlled environments. Additionally, the malware’s use of unique download URLs and hash values for each instance further complicates forensic analysis. This complex and adaptive behavior, combined with its use of the InnoSetup framework, makes this malware a formidable threat that requires vigilant cybersecurity measures to detect and mitigate.
MITRE Tactics and Techniques
Execution
T1059.001 – Command and Scripting Interpreter: PowerShell
InnoLoader executes scripts, such as a malicious BAT file, using the msiexec command. This file subsequently downloads and runs other malicious components.
Defense Evasion
T1027 – Obfuscated Files or Information
The malware uses obfuscation techniques in its scripts and downloaded components to evade detection and analysis. It may also download legitimate software to disguise its malicious activities.
Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
To maintain persistence, InnoLoader can copy itself to the ProgramData directory and create a shortcut in the Startup folder, ensuring it runs every time the system starts.
Command and Control
T1071.001 – Application Layer Protocol: Web Protocols
InnoLoader communicates with a C2 server using web protocols. The server’s response determines the malware’s behavior, such as whether to download additional malicious components.
Collection
T1119 – Automated Collection
The malware can collect sensitive information, such as passwords and application login data, which is then exfiltrated to the C2 server.
Exfiltration
T1041 – Exfiltration Over C2 Channel
Exfiltrated data, including stolen credentials and other sensitive information, is sent back to the C2 server via established communication channels.
Discovery
T1082 – System Information Discovery
InnoLoader performs system reconnaissance to gather information about the infected system, which is then sent to the C2 server to inform further actions.