Inno Stealer Detection: New Infostealer Disguised as OS Update

Hackers have infiltrated Google search results, driving traffic to a bogus website mimicking legitimate Microsoft pages with Windows OS updates. To be more precise, adversaries are using the “windows11-upgrade11[.]com” domain to host and spread information stealer malware disguised as a Windows 11 updates pack.

Tricked users download fake updates, in reality getting an ISO file containing the executable for an infostealer called Inno Stealer instead.

The major requirement for victims to become a “proud owner” of this malware strain is their machine’s capacity to run TPM (stands for Trusted Platform Module) version 2.0.

Detect Inno Stealer Malware

The Sigma-based rule below allows for a swift and easy detection of Inno Stealer malware within your environment. The rule was developed by a perspicacious security engineer Osman Demir:

Suspicious Info Stealing Malware Defense Evasion by Disguising as Windows 11 Upgrade installer (via process_creation)

The detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, Carbon Black, ArcSight, QRadar, Devo, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Open Distro, and Securonix. 

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with File and Directory Permissions Modification (T1222) as the primary technique.

Follow the updates of detection content in the Threat Detection Marketplace repository of the SOC Prime Platform to stay well-informed of emerging threats – the View Detections button will take you to the vast library of rules translated to 25+ SIEM, EDR, XDR solutions. Both seasoned and aspiring threat hunters are welcomed to share their Sigma-based content by joining SOC Prime’s Threat Bounty Program for professional guidance and stable income.

View Detections Join Threat Bounty

Inno Stealer Analysis

Inno Stealer is a multistage attack tool written in Delphi that infects victims’ machines by means of a sophisticated infection chain. The malware is carried by a dropper named Windows 11 setup that users naively download from a scam website set up for this campaign, punching a fraudulent imitation of Windows OS update. When the victim opens the mentioned file, it deploys a temporary file (.tmp) on the infected disc. To maintain persistence, the info-stealer malware is programmed to enable its start after a system reboot and configures its access rights to be as stealthy as possible. The software creates four files using the CreateProcess Windows API. Two of the four files kill Windows Defender. Another file is a command tool that has the maximum level of local permissions. The fourth file contains a script that enables the functioning of a command tool. The packed file with the.scr extension is then dumped into the C: directory at the end of Inno Setup. According to the researchers, Windows treats.scr files as executables, causing the payload to be unpacked.

Upon the successful completion of unpacking, PowerShell is used to transfer data to the user’s Temp directory, which it then sends to the attacker’s C2.

The Inno Stealer malware operators utilized a legitimate Inno Setup Windows installer – hence its moniker.

According to the researchers, the new infostealer doesn’t bear any resemblance to other malware of this type currently in circulation.

Ready to discover new detection content and take your threat hunting practices to a whole new level? Browse through a vast library of detection content and instantly hunt for the latest threats in your SIEM or XDR environment – sign up for free. Or join Threat Bounty Program to craft your own content and share it with the cybersecurity community.