New InnoSetup Malware Created Upon Each Download Attempt

June 27, 2024, 9:56 a.m.

Description

A security intelligence report describing a new malware distribution technique where malicious code is dynamically generated for each download attempt, evading detection through unique hash values. The malware, termed 'InnoLoader', disguises itself as legitimate software installers, executing a complex sequence of downloading and executing additional payloads, including information stealers, adware, and malicious browser plugins. It employs evasion tactics like varying C2 responses and downloading benign files to hinder analysis. The report underscores the evolving strategies employed by threat actors to distribute malware and compromise systems.

External References

https://asec.ahnlab.com/en/67502/
https://otx.alienvault.com/pulse/667d322126c4b8db836d56aa
Tags
obfuscation
2024-06-27
stealc
lu0bot
dga
innosetup
multistagepayload

Date

  • Created: June 27, 2024, 9:34 a.m.
  • Published: June 27, 2024, 9:34 a.m.
  • Modified: June 27, 2024, 9:56 a.m.

Indicators

  • valuescent.website
  • brotherpopcorn.website
  • da1b144b5f908cb7e811489dfe660e06aa6df9c9158c6972ec9c79c48afacb7e
  • 9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa
  • 93.123.39.135
  • https://song.oaksfoxes.ltd/tid/202.exe
  • https://cdn-edge-node.com/online_security_mkl.exe
  • http://monkeyagreement.fun/coo.php?paw=895836&spot=4&a=2857&on=418&o=1660
  • http://monkeyagreement.fun/coo.php?paw=956684&spot=5&a=2857&on=460&o=1690
  • http://monkeyagreement.fun/coo.php?paw=883174&spot=1&a=2857&on=444&o=1678
  • http://monkeyagreement.fun/coo.php?paw=787557&spot=6&a=2857&on=244&o=331
  • http://monkeyagreement.fun/coo.php?paw=762694&spot=2&a=2857&on=458&o=1688
  • http://monkeyagreement.fun/coo.php?paw=401610&spot=3&a=2857&on=420&o=1662
  • http://93.123.39.135/129edec4272dc2c8.php
  • http://kapetownlink.com/installer.exe
  • http://240601155506901.try.kyhd08.buzz/f/fvgbm0601901.txt
  • http://240601155351354.try.kyhd08.buzz/f/fvgbm0601001.msi
  • e38ee82150cc00a8627814c6.bag.sack54.net
  • song.oaksfoxes.ltd
  • d9500682396017175017969210108a04a635094d7af3f018356690047bce5.aoa.aent78.sbs
  • 240601155351354.try.kyhd08.buzz
  • 240601155506901.try.kyhd08.buzz
  • whipunit.hair
  • selectionword.xyz
  • nightauthority.xyz
  • monkeyagreement.fun
  • laughvein.hair
  • kapetownlink.com
  • eyesnose.hair
  • cdn-edge-node.com
  • cattlebusiness.icu
  • caretouch.hair
Download all indicators here!

Attack Patterns

  • Socks5Systemz
  • Lu0Bot
  • StealC