Hackers Exploit Legitimate Inno Setup Installer to Use as a Malware Delivery Vehicle

Cybercriminals have increasingly turned to legitimate software installation frameworks as vehicles for malware distribution, with Inno Setup emerging as a preferred tool for threat actors seeking to bypass security measures.

This legitimate Windows installer framework, originally designed to simplify software deployment, has become a sophisticated delivery mechanism for information-stealing malware campaigns that target browser credentials and cryptocurrency wallets.

The malicious campaign exploits Inno Setup’s Pascal scripting capabilities to create seemingly legitimate software installers that conceal multi-stage malware payloads.

These weaponized installers masquerade as legitimate applications while executing complex infection chains that ultimately deploy RedLine Stealer, a widely distributed information-stealing malware known for harvesting sensitive data from compromised systems.

Recent analysis by Splunk researchers has identified a sophisticated attack chain that leverages multiple evasion techniques to avoid detection by security tools and sandbox environments.

The campaign demonstrates advanced tradecraft, employing XOR encryption, anti-analysis measures, and legitimate system tools to maintain persistence and evade detection throughout the infection process.

The attack vector represents a significant evolution in malware distribution tactics, as threat actors abuse the inherent trust users place in software installers.

By leveraging legitimate frameworks like Inno Setup, attackers can distribute malware through various channels including phishing campaigns, compromised software repositories, and malicious advertisements without triggering immediate suspicion from users or security systems.

Advanced Evasion and Persistence Mechanisms

The malware’s sophisticated evasion strategy begins with its Pascal script implementation, which uses XOR encryption to obfuscate critical strings and commands.

Upon execution, the installer performs comprehensive environment analysis using Windows Management Instrumentation (WMI) queries, specifically executing Select * From Win32_Process where Name= to identify processes associated with malware analysis tools.

If analysis tools are detected, the installer immediately terminates to avoid investigation.

The campaign employs multiple layers of sandbox evasion, including filename pattern matching and system profiling.

The malware checks for specific substrings in the installer’s filename, such as “application_stable_release,” before proceeding with payload delivery.

Additionally, it executes WMI queries like SELECT * FROM Win32_Processor and SELECT * FROM Win32_ComputerSystem to gather system information and identify virtual machine environments commonly used for malware analysis.

For persistence, the malware creates hidden scheduled tasks using the command schtasks /Create /xml %temp%lang WhatsAppSyncTaskMachineCore /f.

The payload is extracted to %APPDATA%RoamingcontrolExplore and configured to execute automatically upon system reboot.

The infection chain culminates with DLL side-loading, where a legitimate application (ScoreFeedbackTool.exe) loads a trojanized QtGuid4.dll, which then decrypts and executes the HijackLoader component that ultimately deploys RedLine Stealer into a spawned MSBuild.exe process, effectively hiding the malicious payload within a legitimate Windows development tool.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now