Today > vulnerabilities   -   You can now download lists of IOCs here!

New InnoSetup Malware Created Upon Each Download Attempt

June 27, 2024, 9:56 a.m.

Tags
obfuscation
2024-06-27
stealc
lu0bot
dga
innosetup
multistagepayload
External References
Description

A security intelligence report describing a new malware distribution technique where malicious code is dynamically generated for each download attempt, evading detection through unique hash values. The malware, termed 'InnoLoader', disguises itself as legitimate software installers, executing a complex sequence of downloading and executing additional payloads, including information stealers, adware, and malicious browser plugins. It employs evasion tactics like varying C2 responses and downloading benign files to hinder analysis. The report underscores the evolving strategies employed by threat actors to distribute malware and compromise systems.

Date

Published: June 27, 2024, 9:34 a.m.

Created: June 27, 2024, 9:34 a.m.

Modified: June 27, 2024, 9:56 a.m.

Indicators

valuescent.website

brotherpopcorn.website

da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e

9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa

93.123.39.135

https://song.oaksfoxes.ltd/tid/202.exe

https://cdn-edge-node.com/online_security_mkl.exe

http://monkeyagreement.fun/coo.php?paw=895836&spot=4&a=2857&on=418&o=1660

http://monkeyagreement.fun/coo.php?paw=956684&spot=5&a=2857&on=460&o=1690

http://monkeyagreement.fun/coo.php?paw=883174&spot=1&a=2857&on=444&o=1678

http://monkeyagreement.fun/coo.php?paw=787557&spot=6&a=2857&on=244&o=331

http://monkeyagreement.fun/coo.php?paw=762694&spot=2&a=2857&on=458&o=1688

http://monkeyagreement.fun/coo.php?paw=401610&spot=3&a=2857&on=420&o=1662

http://93.123.39.135/129edec4272dc2c8.php

http://kapetownlink.com/installer.exe

http://240601155506901.try.kyhd08.buzz/f/fvgbm0601901.txt

http://240601155351354.try.kyhd08.buzz/f/fvgbm0601001.msi

e38ee82150cc00a8627814c6.bag.sack54.net

song.oaksfoxes.ltd

d9500682396017175017969210108a04a635094d7af3f018356690047bce5.aoa.aent78.sbs

240601155351354.try.kyhd08.buzz

240601155506901.try.kyhd08.buzz

whipunit.hair

selectionword.xyz

nightauthority.xyz

monkeyagreement.fun

laughvein.hair

kapetownlink.com

eyesnose.hair

cdn-edge-node.com

cattlebusiness.icu

caretouch.hair

Download all indicators here!

Attack Patterns

Socks5Systemz

Lu0Bot

StealC

T1542

T1064

T1137

T1574

T1105

T1204

T1195

T1566

T1059