Warning: Malware Disguised as a Security Update Installer Being Distributed
Contents
AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government.
The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table.
Figure 1. Installer disguised as Security Upgrade
Table 1. A brief description of Inno Setup
A script file called ‘install_script.iss’ exists within the installer that was created using Inno Setup. The program is formatted to be installed while creating files in the system according to the commands recorded in the script file.
The contents of the script file are as follows and the installation information is recorded in the ‘Programs and Features’ section as the malware is created in the system path ‘C:\ProgramData’.
Figure 2. Disguised installer
Figure 3. File information of install_script.iss
Figure 4. Installation information …
The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. A brief description of the software is provided below in the table.
Figure 1. Installer disguised as Security Upgrade
Table 1. A brief description of Inno Setup
A script file called ‘install_script.iss’ exists within the installer that was created using Inno Setup. The program is formatted to be installed while creating files in the system according to the commands recorded in the script file.
The contents of the script file are as follows and the installation information is recorded in the ‘Programs and Features’ section as the malware is created in the system path ‘C:\ProgramData’.
Figure 2. Disguised installer
Figure 3. File information of install_script.iss
Figure 4. Installation information …
IoC
c5e0a2b881a60fb3440bb78e9920dccd
http://pita1.sportsontheweb.net
http://pita1.sportsontheweb.net