Warning: Malware Disguised as a Security Update Installer Being Distributed

AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government.

The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table.

Figure 1. Installer disguised as Security Upgrade

Table 1. A brief description of Inno Setup

A script file called ‘install_script.iss’ exists within the installer that was created using Inno Setup. The program is formatted to be installed while creating files in the system according to the commands recorded in the script file.

The contents of the script file are as follows and the installation information is recorded in the ‘Programs and Features’ section as the malware is created in the system path ‘C:\ProgramData’.

Figure 2. Disguised installer

Figure 3. File information of install_script.iss

Figure 4. Installation information registered in Programs and Features

As shown below, the created malware is registered in the startup of the registry area and operates while residing in the system.

Figure 5. Malware operation overview

Figure 6. Registry information

System information is then stolen and sent to the threat actor’s C&C server. Furthermore, a variety of additional commands can be performed according to the threat actor’s remote commands.

 Files with unknown sources should be scanned with V3 products, and it is recommended to download software from the official websites of the developers.

[IOC]

• File Detection
  Dropper/Win.FakeGovuki (2023.04.15.01)
• MD5
  c5e0a2b881a60fb3440bb78e9920dccd
• URL & C2
  pita1.sportsontheweb[.]net

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.