Dissecting the Malware Involved in the INOCNATION Campaign

Executive Summary

As the findings of a new malware attack campaign named INOCNATION emerged, Fidelis Threat Research investigated the Remote Access Tool (RAT) used in this campaign. We discovered some interesting characteristics. This particular RAT employs simple and cunning techniques to prevent its discovery or further investigation. The embedded anti-analysis techniques and other capabilities introduce tradecraft that is integrated directly into the malware’s layers. Specifically we found that the malware utilized the following techniques:

  • Different types of XOR techniques to obfuscate components and its contained strings
  • The use of trusted security software as a decoy during initial infection
  • Sandbox detection
  • A mangled MZ header to deceive security products
  • String Stacking obfuscation with Unicode Strings
  • More than one layer of obfuscation for its command and control traffic
  • Un-Install functionality

Related on Threat Geek:

Download Full Threat Advisory

Dissecting the Malware Involved in the INOCNATION Campaign