Cybercriminals are increasingly leveraging legitimate software installation frameworks to distribute malware, with Inno Setup emerging as a favored tool. Originally designed to simplify software deployment, Inno Setup is now being exploited to deliver information-stealing malware targeting browser credentials and cryptocurrency wallets.
Inno Setup: A Double-Edged Sword
Inno Setup is a free, script-driven installation system for Windows applications, developed in Delphi by Jordan Russell. Since its release in 1997, it has been widely adopted due to its flexibility and ease of use. However, these same features have made it attractive to threat actors seeking to disguise malicious payloads as legitimate software installers.
Malware Campaigns Utilizing Inno Setup
Recent analyses have uncovered sophisticated malware campaigns that exploit Inno Setup’s capabilities:
– InnoLoader Malware: Disguised as cracks for commercial tools, this malware uses just-in-time generation tactics to create unique variants upon each download request, evading detection based on pre-compiled hashes. It leverages the InnoDownloadPlugin to download additional installers from a Command and Control (C2) server, executing malicious behavior upon receiving an ok response. ([cybersecuritynews.com](https://cybersecuritynews.com/innosetup-malware-ms-office-crack-evade/?utm_source=openai))
– Inno Stealer: Distributed through fake Windows 11 upgrade websites, this malware targets various web browsers and cryptocurrency wallets. It establishes persistence by creating shortcuts in the Startup folder and disables system protections to operate undetected. ([lenet.com](https://www.lenet.com/blog/this-fake-windows-11-upgrade-steals-your-credentials?utm_source=openai))
– Fake Security Updates: Some malware masquerades as security update installers, developed using Inno Setup. These installers create files in system directories and record installation information in the ‘Programs and Features’ section, making them appear legitimate while executing malicious activities. ([asec.ahnlab.com](https://asec.ahnlab.com/en/54375/?utm_source=openai))
Advanced Evasion and Persistence Mechanisms
These malicious campaigns employ sophisticated evasion strategies:
– Encryption and Obfuscation: Malware authors use XOR encryption to obfuscate critical strings and commands within the Pascal scripts of Inno Setup installers, making detection more challenging.
– Environment Analysis: The installers perform comprehensive environment checks using Windows Management Instrumentation (WMI) queries to detect analysis tools or virtual machine environments. If such tools are detected, the installer terminates to avoid investigation.
– Persistence Techniques: Malware establishes persistence by creating hidden scheduled tasks or adding shortcuts in the Startup folder, ensuring execution upon system reboot.
Implications and Recommendations
The exploitation of legitimate installation frameworks like Inno Setup underscores the evolving tactics of cybercriminals. To mitigate these threats:
– Download Software from Official Sources: Always obtain software from reputable and official sources to reduce the risk of downloading malicious installers.
– Verify Digital Signatures: Check the digital signatures of software installers to ensure their authenticity.
– Maintain Updated Security Software: Keep antivirus and anti-malware solutions up to date to detect and prevent the execution of malicious software.
– Educate Users: Raise awareness about the risks of downloading software from untrusted sources and the importance of verifying software authenticity.
By staying vigilant and adopting these practices, individuals and organizations can better protect themselves against malware distributed through exploited legitimate tools like Inno Setup.
