Dissecting the Malware Involved in the INOCNATION Campaign

14 Pages

This threat advisory analyzes the INOCNATION malware campaign and the RAT used, highlighting a layered design built to evade discovery and frustrate analysis. The attack starts with a dropper that writes and runs both a RAT installer and a legitimate Cisco AnyConnect installer decoy, using XOR obfuscation that skips null and key bytes to hinder extraction. The RAT installer includes sandbox detection via mouse-movement checks, drops an obfuscated DLL payload with a deliberately mangled MZ header that is later repaired, establishes persistence via a Run registry key, deletes itself, and executes the payload through regsvr32. The implant uses Unicode string stacking plus multiple XOR layers and SSL/TLS for C2 traffic, supports commands like reverse shell, file transfer, system info, and unin

Join for free to read

Report DARKGATE MALWARE CAMPAIGN

Case Study The Threat Hunt That Uncovered Novel Malware

Case Study Kaspersky’s contributions to Vietnam’s National Cyber Security…

Ebook Trellix Malware Analysis

More from Fidelis

Report The Turbo Campaign, Featuring Derusbi for 64-bit Linux

Vendor Sheet The Platform Relied on By Incident Responders

White Paper White Paper: Fidelis Sandbox

Vendor Sheet Fidelis Network® Web Sensor

Report

Dissecting the Malware Involved in the INOCNATION Campaign

Dissecting the Malware Involved in the INOCNATION Campaign

You Might Also Like

More from Fidelis