By leveraging legitimate frameworks like Inno Setup, attackers can distribute malware through various channels including phishing campaigns, compromised software repositories, and malicious advertisements without triggering immediate suspicion from users or security systems. Cybercriminals have increasingly turned to legitimate software installation frameworks as vehicles for malware distribution, with Inno Setup emerging as a preferred tool for threat actors seeking to bypass security measures. This legitimate Windows installer framework, originally designed to simplify software deployment, has become a sophisticated delivery mechanism for information-stealing malware campaigns that target browser credentials and cryptocurrency wallets. Upon execution, the installer performs comprehensive environment analysis using Windows Management Instrumentation (WMI) queries, specifically executing Select * From Win32_Process where Name= to identify processes associated with malware analysis tools. The infection chain culminates with DLL side-loading, where a legitimate application (ScoreFeedbackTool.exe) loads a trojanized QtGuid4.dll, which then decrypts and executes the HijackLoader component that ultimately deploys RedLine Stealer into a spawned MSBuild.exe process, effectively hiding the malicious payload within a legitimate Windows development tool. These weaponized installers masquerade as legitimate applications while executing complex infection chains that ultimately deploy RedLine Stealer, a widely distributed information-stealing malware known for harvesting sensitive data from compromised systems. The malicious campaign exploits Inno Setup’s Pascal scripting capabilities to create seemingly legitimate software installers that conceal multi-stage malware payloads. Recent analysis by Splunk researchers has identified a sophisticated attack chain that leverages multiple evasion techniques to avoid detection by security tools and sandbox environments. The campaign demonstrates advanced tradecraft, employing XOR encryption, anti-analysis measures, and legitimate system tools to maintain persistence and evade detection throughout the infection process. The attack vector represents a significant evolution in malware distribution tactics, as threat actors abuse the inherent trust users place in software installers. Additionally, it executes WMI queries like SELECT * FROM Win32_Processor and SELECT * FROM Win32_ComputerSystem to gather system information and identify virtual machine environments commonly used for malware analysis. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 05 Jul 2025 08:35:12 +0000