Cybercriminals have increasingly turned to legitimate software installation frameworks as vehicles for malware distribution, with Inno Setup emerging as a preferred tool for threat actors seeking to bypass security measures.<\/p>\n
This legitimate Windows installer framework, originally designed to simplify software deployment, has become a sophisticated delivery mechanism for information-stealing malware campaigns that target browser credentials and cryptocurrency wallets.<\/p>\n
The malicious campaign exploits Inno Setup\u2019s Pascal scripting capabilities to create seemingly legitimate software installers that conceal multi-stage malware payloads.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh5_5Wm-mClexwbz_np2tK2ItrlchW2xXTx6hxgBWcK7XQolfUPHoLuciSTou7qGTsLHAv_xVHLa7F4KOptzl2ptq0HAa3uQ31wZC_AZl46QgQPn0IHhg1VKdd3IeyUtikdHNXcbrC-z3wjeNB2Rao2AK6ImhlBt_2RFSh4MRGuyHSIkY4aXcCpCqA1p9c\/s16000\/Malicious%2520Inno-Setup%2520Loader%2520Campaign%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")
These weaponized installers masquerade as legitimate applications while executing complex infection chains that ultimately deploy RedLine Stealer, a widely distributed information-stealing malware known for harvesting sensitive data<\/a> from compromised systems.<\/p>\n Recent analysis by Splunk researchers has identified<\/a> a sophisticated attack chain that leverages multiple evasion techniques to avoid detection by security tools and sandbox environments.<\/p>\n The campaign demonstrates advanced tradecraft, employing XOR encryption, anti-analysis measures, and legitimate system tools to maintain persistence and evade detection throughout the infection process.<\/p>\n The attack vector represents a significant evolution in malware distribution tactics, as threat actors abuse the inherent trust users place in software installers.<\/p>\n By leveraging legitimate frameworks like Inno Setup, attackers can distribute malware through various channels including phishing campaigns, compromised software repositories, and malicious advertisements without triggering immediate suspicion from users or security systems.<\/p>\n The malware\u2019s sophisticated evasion strategy begins with its Pascal script implementation, which uses XOR encryption to obfuscate critical strings and commands.<\/p>\n Upon execution, the installer performs comprehensive environment analysis using Windows Management Instrumentation (WMI) queries, specifically executing If analysis tools are detected, the installer immediately terminates to avoid investigation.<\/p>\n The campaign<\/a> employs multiple layers of sandbox evasion, including filename pattern matching and system profiling.<\/p>\n The malware checks for specific substrings in the installer\u2019s filename, such as \u201capplication_stable_release,\u201d before proceeding with payload delivery.<\/p>\n Additionally, it executes WMI queries like For persistence, the malware creates hidden scheduled tasks using the command The payload is extracted to The infection chain culminates with DLL side-loading<\/a>, where a legitimate application (ScoreFeedbackTool.exe) loads a trojanized QtGuid4.dll, which then decrypts and executes the HijackLoader component that ultimately deploys RedLine Stealer into a spawned MSBuild.exe process, effectively hiding the malicious payload within a legitimate Windows development tool.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAdvanced Evasion and Persistence Mechanisms<\/strong><\/h2>\n
Select * From Win32_Process where Name=<\/code> to identify processes associated with malware analysis tools.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhdReufLHqLySP_a5DKPHCfxgElk-sK2jWEuto_7_KyMwkVMTmswR3fqkmcP9x6S3PYILIL20-y3MGRT71KAg00P5IYoU9ZUxeaXwOWKJ6SBjMSkc0u9LWAjIMPmJ5aITB3hZUE0bwExrki_rR6mqi8yhlhYVdAlgpkw6VqkoJe4lncVSIEsCpYNi6ilQY\/s16000\/HijackLoader%2520and%2520FinalPayload%2520Decryption%2520Routine%2520%28Source%2520-%2520Splunk%29.webp?ssl=1\")
SELECT * FROM Win32_Processor<\/code> and SELECT * FROM Win32_ComputerSystem<\/code> to gather system information and identify virtual machine environments commonly used for malware analysis<\/a>.<\/p>\nschtasks \/Create \/xml %temp%lang WhatsAppSyncTaskMachineCore \/f<\/code>.<\/p>\n%APPDATA%RoamingcontrolExplore<\/code> and configured to execute automatically upon system reboot.<\/p>\n