The Splunk Threat Research Team (STRT) recently revealed that hackers are increasingly abusing trustworthy software installers, most notably Inno Setup, by turning them into covert delivery systems for powerful malware.
Traditionally, installer packages like Inno Setup, NSIS, and InstallShield have been indispensable for developers, packaging all files, configurations, and dependencies into a seamless, user-friendly setup experience.
However, threat actors now increasingly weaponize these frameworks, camouflaging malicious payloads within seemingly authentic installation wizards to circumvent user suspicion and evade many conventional security controls.
Sophisticated Loader Tactics Unveiled
STRT’s analysis sheds light on how attackers exploit Inno Setup’s powerful Pascal scripting abilities to initiate intricate multi-stage attacks.
Malicious installers observed in recent campaigns mimic legitimate programs, often using a decoy executable such as “ImageConverter.exe” to lend authenticity.
Within these installers, the true threat lies buried in embedded Pascal scripts, laced with obfuscation and evasion logic.
These scripts deploy XOR encryption to shield malicious commands and perform environmental checks using Windows Management Instrumentation (WMI).
By verifying process lists and system details, the loader can terminate itself if it detects analysis tools or virtualized environments, thereby dodging sandbox scrutiny and forensic investigation.
If the installer confirms it is running on a genuine user system, the script leverages obfuscated URLs including TinyURL links that mask final destinations to download secondary payloads.
The attackers employ password-protected ZIP archives, extracting their contents with renamed utilities such as 7za.exe (disguised as “idp.exe”), and then establish persistence by creating hidden scheduled tasks.
The extracted components use classic DLL sideloading techniques, where a trojanized “QtGuid4.dll” decrypts and runs further shellcode, eventually unleashing the modular HijackLoader malware.
RedLine Stealer Deployment
HijackLoader represents a formidable and adaptive threat, first emerging in 2023 and linked to the distribution of various malware strains, including Amadey, Lumma Stealer, Racoon Stealer v2, Remcos RAT, and most prominently, RedLine Stealer.
This loader cleverly conceals its modules inside non-standard files, such as fake PNG images.
These files embed encrypted code sections that HijackLoader decrypts and decompresses in-memory, using sophisticated methods like Heaven’s Gate, call stack spoofing, and process hollowing to remain undetected.
In this campaign, once HijackLoader executes, it injects the final payload RedLine Stealer into an MSBuild.exe process, obscuring its activity.
RedLine Stealer uses advanced “constant unfolding” obfuscation, where crucial strings and configurations are dynamically rebuilt at runtime, severely hindering static analysis and signature-based detection.
Its core mission is data theft: harvesting browser credentials, cookies, autofill information, and targeting a broad spectrum of browsers, including Chrome, Edge, Brave, and even specialized crypto-wallet extensions such as MetaMask.
The malware further abuses browser command-line options to disable sandboxes and security plugins, ensuring smooth operation while evading browser-based security.
It also employs WMI queries to fingerprint host systems, and systematically locates and exfiltrates sensitive information, especially credentials and financial data stored in browser profiles.
Splunk has developed an extensive set of analytics 26 detections in total targeted at uncovering these evolving threats, from identifying anomalous accesses to browser data stores and unsigned DLL sideloading, to spotting hidden scheduled tasks and suspicious browser launches with sandbox-disabling flags.
As the sophistication of such attacks continues to escalate, organizations must prioritize layered security, robust endpoint monitoring, and ongoing threat intelligence to defend against these new-age threats leveraging seemingly benign installer frameworks.
Indicators of Compromise (IOC)
| Artifact | SHA256 Hash |
|---|---|
| Malicious Inno Setup Loader | 0d5311014c66423261d1069fda108dab33673bd68d697e22adb096db05d851b7 |
| Malicious Inno Setup Loader | 0ee63776197a80de42e164314cea55453aa24d8eabca0b481f778eba7215c160 |
| Malicious Inno Setup Loader | 12876f134bde914fe87b7abb8e6b0727b2ffe9e9334797b7dcbaa1c1ac612ed6 |
| Malicious Inno Setup Loader | 8f55ad8c8dec23576097595d2789c9d53c92a6575e5e53bfbc51699d52d0d30a |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
