New InnoSetup Malware posing As MS Office Crack To Evade detection

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A new malware strain disguised as cracks and commercial tools utilizes a just-in-time generation tactic, and upon a download request, a unique malware variant with the same functionalities is created for the user, which allows the malware to evade detection based on pre-compiled hashes.  

The malware leverages an installer UI to delay malicious actions until specific buttons are clicked during installation and then downloads and executes further payloads based on instructions received from a Command and Control server (C2).  

Researchers observed the malware installing information stealers, proxy tools, clickers disguised as browser plugins, and even legitimate software like the Opera browser and 360 security products.  

Web pages distributing the malware

A new malware that tailors the C2 server address and itself for each download request makes detection difficult, as the C2 address includes a timestamp and country information.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

In environments where the malware has been downloaded before, the attacker delivers a normal WinRAR file instead for a period of time.

The malware is created with InnoSetup and disguised as an installer, requiring the user to click “Next” twice to trigger malicious behavior.  

Malware execution screen

Adversaries leveraged InnoDownloadPlugin to download additional installers from a Command and Control (C2) server, which executes malicious behavior upon receiving an “ok” response from the C2 server. 

To evade analysis, the C2 server might switch its response to “no” after a certain time, causing the installation to terminate without malicious actions.

The downloaded installer URL is retrieved from the C2 server’s response header’s “Location” entry, allowing attackers to distribute both legitimate and malicious files through the plugin.

 Download URL response of the C2

The InnoLoader malware is a multi-stage downloader that fetches and executes various malicious payloads upon download and execution by leveraging a BAT file to launch StealC Infostealer, which steals user credentials, browser information, and potentially cryptocurrency wallet/FTP logins. 

The malware then communicates with multiple Command and Control (C2) servers and downloads additional payloads like the Socks5Systemz proxy and adware disguised as a Windows update tool. 

This downloader-dropper-payload chain makes it difficult to analyze and prevent as the malware generates unique instances and employs various tools to steal user data and potentially establish persistence. 

Lu0Bot – StealC malware execution flow

An infostealer campaign is disguising malicious files as legitimate installers. The attackers use an obfuscated BAT file to download an MSI file disguised as a Microsoft Visual C++ installer and then drop a Node.js executable and an obfuscated script (Lu0Bot) in the TEMP directory. 

Lu0Bot creates a C2 URL, collects information from the system, and can execute commands using UDP to communicate with the C2; it can also download and execute additional malware like StealC. 

As per AhnLab Security Intelligence Center, to maintain persistence, Lu0Bot copies itself to ProgramData and creates a shortcut in the Startup folder, making analysis difficult.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files