Cybercriminals are increasingly turning legitimate software installer frameworks, such as Inno Setup, into tools for distributing malware. Originally intended to facilitate software deployment on Windows, Inno Setup has gained popularity among malicious actors due to its trusted appearance and robust Pascal scripting capabilities.
This sophisticated misuse allows attackers to conceal malware within seemingly innocuous installation packages, often slipping past user scrutiny and even evading some antivirus solutions.
Exploiting Trust in Software Distribution Tools
A recent campaign highlighted by the Splunk Threat Research Team (STRT) illustrates how these malicious installers can deliver information-stealing malware, such as RedLine Stealer, through a complex multi-stage infection process. This begins with a malicious Inno Setup installer that employs Pascal scripting to execute various evasion techniques, including the detection of debuggers and sandbox environments.
The script utilizes XOR encryption to obscure critical strings and conducts Windows Management Instrumentation (WMI) queries to identify malware analysis tools and virtual machine settings, terminating the process if any such conditions are detected.
Upon passing these checks, the installer retrieves a compressed payload from a command-and-control (C2) server via a TinyURL link, often concealed behind access-restricted pages on platforms like rentry[.]org.
A Multi-Stage Malware Delivery Chain
Once the payload is downloaded, it is extracted from a ZIP archive using a renamed 7-Zip utility. A scheduled task is then created to ensure persistence by launching a hidden executable upon system reboot.
This payload initiates a series of complex actions involving DLL sideloading, where a trojanized QtGuid4.dll decrypts shellcode from an encrypted file, ultimately loading HijackLoader. Known for its modular design and evasion techniques like Heaven’s Gate and Process Hollowing, HijackLoader decrypts and injects the final payload, RedLine Stealer, into a legitimate MSBuild.exe process. This allows it to steal sensitive information, including browser credentials and cryptocurrency wallet data.
RedLine Stealer further complicates detection through “constant unfolding” obfuscation, dynamically constructing parameters at runtime, and employing browser flags like –no-sandbox in Chrome to disable security features. It also launches Internet Explorer with extensions disabled to carry out malicious actions unnoticed.
This campaign exemplifies the sophisticated exploitation of trusted tools, as attackers leverage Inno Setup’s legitimacy to distribute malware through phishing, cracked software, or compromised updates.
The STRT has developed multiple detection methods to identify such threats, focusing on indicators like unsigned DLL sideloading, hidden scheduled tasks, and suspicious browser behaviors.
As cybercriminals continue to refine their tactics, utilizing legitimate frameworks for malicious purposes, both users and organizations must remain vigilant. Employing robust endpoint security and monitoring is essential to detect and mitigate these stealthy threats before they compromise critical data.
Indicators of Compromise (IOC)
| Description | Hash |
|---|---|
| Malicious Inno Setup Loader Hash 1 | 0d5311014c66423261d1069fda108dab33673bd68d697e22adb096db05d851b7 |
| Malicious Inno Setup Loader Hash 2 | 0ee63776197a80de42e164314cea55453aa24d8eabca0b481f778eba7215c160 |
| Malicious Inno Setup Loader Hash 3 | 12876f134bde914fe87b7abb8e6b0727b2ffe9e9334797b7dcbaa1c1ac612ed6 |
| Malicious Inno Setup Loader Hash 4 | 8f55ad8c8dec23576097595d2789c9d53c92a6575e5e53bfbc51699d52d0d30a |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
