New Ways to Hide Ransomware
Friday, March 17, 2017 @ 03:03 PM gHale
New ransomware campaigns are taking advantage of installer files from the Nullsoft Scriptable Install System (NSIS), researchers said.
“These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code,” said Andrea Lelli from the Microsoft Malware Protection Center. “These changes are in installers that drop ransomware like Cerber, Locky, and others.”
Bad guys would often hide malware in NSIS installer files. As antivirus software effectively detected these installer files, attackers are once again updating their tools to penetrate computers, the researchers said.
The new NSIS installers attempt to evade anti-virus detection by trying to look as normal as possible.
These include more non-malicious plugins, in addition to the installation engine system.dll; a .bmp file as the background image for the installer interface, and a non-malicious uninstaller component uninst.exe.
The NSIS installers no longer feature the randomly named DLL file used to decrypt the encrypted malware. Because of this major change, the footprint of malicious code in the NSIS installer package goes down greatly, said Microsoft Lelli said in a blog post.
Microsoft last month observed an uptick in the adoption of the new installers that install ransomware. Instead of using a DLL file to decrypt the malicious payload, the new installers pack a Nullsoft installation script that loads the encrypted data file in memory and executes its code area.
Not only is the malicious payload encrypted, but the installation script is also obfuscated. The script loads the encrypted data file into memory, then gets the offset to the code area (12137). Next, the script issues a call to the encrypted data file. The code area in the encrypted data file is the first decryption layer, but the script further decrypts the code until it runs the final payload, Microsoft researchers said.
“By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions,” Lelli said.
Leave a Reply
You must be logged in to post a comment.