AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government.
The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table.
Figure 1. Installer disguised as Security Upgrade
|A program developed by JrSoftware that serves as a tool for creating script-based installers for Windows OS|
Table 1. A brief description of Inno Setup
A script file called ‘install_script.iss’ exists within the installer that was created using Inno Setup. The program is formatted to be installed while creating files in the system according to the commands recorded in the script file.
The contents of the script file are as follows and the installation information is recorded in the ‘Programs and Features’ section as the malware is created in the system path ‘C:\ProgramData’.
Figure 2. Disguised installer
Figure 3. File information of install_script.iss
Figure 4. Installation information registered in Programs and Features
As shown below, the created malware is registered in the startup of the registry area and operates while residing in the system.
Figure 5. Malware operation overview
Figure 6. Registry information
System information is then stolen and sent to the threat actor’s C&C server. Furthermore, a variety of additional commands can be performed according to the threat actor’s remote commands.
Files with unknown sources should be scanned with V3 products, and it is recommended to download software from the official websites of the developers.
- File Detection
- URL & C2
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.