Cybercriminals Abuse Genuine Inno Setup Installer to Distribute Malware

In a concerning trend for Windows users and the broader cybersecurity landscape, cybercriminals are increasingly leveraging legitimate software installation frameworks such as Inno Setup to distribute potent malware strains.

Once trusted as a staple for streamlined, user-friendly application deployment, these installer packages are now being hijacked to sidestep security defenses and dupe unsuspecting victims.

How Legitimate Installers Turn Rogue

Inno Setup, renowned for its ease of packaging files, configurations, and dependencies into a single executable, is being exploited by attackers who wrap malicious payloads within seemingly safe installation programs.

The Splunk Threat Research Team (STRT) recently analyzed a sophisticated campaign where a malicious installer, disguised as decoy executables (such as “ImageConverter.exe”), takes full advantage of Inno Setup’s Pascal scripting features.

At the heart of this attack is an embedded Pascal script that activates a series of evasion and infection techniques. After a user launches the installer, the script checks for sandbox or malware analysis environments using obfuscated WMI queries and encrypted strings.

If the coast is clear, it downloads the next-stage payload via a TinyURL link, which redirects through credential-protected access on services like rentry[.]org, making detection and blocking difficult.

Stealthy Techniques and Notorious Payloads

Once the malicious package is downloaded, the installer employs a renamed version of 7-Zip to extract hidden components, using a hardcoded password to unlock the archive.

Furthermore, the loader creates a hidden scheduled task that points to an obfuscated copy of the malware, ensuring it survives reboots and evades casual detection.

The infection chain does not stop there. DLL sideloading is used to inject shellcode into memory, decrypting and executing a modular loader called HijackLoader, which was first discovered in 2023.

HijackLoader employs advanced evasion techniques, such as process hollowing and call stack spoofing, to load its final payload, specifically the RedLine Stealer.

This malware is notorious for stealing browser credentials, cookies, cryptocurrency wallet data, and extensive system information, while employing heavy obfuscation to evade static analysis.

Defensive Measures and Warnings

Security researchers emphasize the importance of vigilance, as such threats increasingly arrive through phishing emails, cracked software sites, and poisoned updates.

Splunk’s newly published threat detection analytics target telltale signs, such as unsanctioned access to Chrome’s “Local State” file, suspicious use of “–no-sandbox” browser flags, and the creation of invisible scheduled tasks.

Bottom line: Even trusted software installers are no longer immune to abuse.

Both organizations and end-users should treat any unsolicited or unexpected installer with suspicion, maintain updated endpoint protection, and routinely monitor for anomalous system behaviors linked to these advanced malware campaigns.

IOC