New Ways to Hide Ransomware

Friday, March 17, 2017 @ 03:03 PM gHale


New ransomware campaigns are taking advantage of installer files from the Nullsoft Scriptable Install System (NSIS), researchers said.

“These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code,” said Andrea Lelli from the Microsoft Malware Protection Center. “These changes are in installers that drop ransomware like Cerber, Locky, and others.”

RELATED STORIES
Ransomware Hit 61% of Companies
MacOS Ransomware Decryption Tool Issued
Ransomware’s Plan of Attack
New Messy Mac Ransomware

Bad guys would often hide malware in NSIS installer files. As antivirus software effectively detected these installer files, attackers are once again updating their tools to penetrate computers, the researchers said.

The new NSIS installers attempt to evade anti-virus detection by trying to look as normal as possible.

These include more non-malicious plugins, in addition to the installation engine system.dll; a .bmp file as the background image for the installer interface, and a non-malicious uninstaller component uninst.exe.

The NSIS installers no longer feature the randomly named DLL file used to decrypt the encrypted malware. Because of this major change, the footprint of malicious code in the NSIS installer package goes down greatly, said Microsoft Lelli said in a blog post.

Microsoft last month observed an uptick in the adoption of the new installers that install ransomware. Instead of using a DLL file to decrypt the malicious payload, the new installers pack a Nullsoft installation script that loads the encrypted data file in memory and executes its code area.

Not only is the malicious payload encrypted, but the installation script is also obfuscated. The script loads the encrypted data file into memory, then gets the offset to the code area (12137). Next, the script issues a call to the encrypted data file. The code area in the encrypted data file is the first decryption layer, but the script further decrypts the code until it runs the final payload, Microsoft researchers said.

“By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions,” Lelli said.

The distribution campaigns leveraging the new NSIS installers usually follow a specific scheme. Usually it is spam emails that mimic invoice delivery notifications used to deliver a malicious attachment that could be a JavaScript downloader, a JavaScript downloader in a .zip file, a .LNK file that contains a PowerShell script, or a document with malicious macros. When the intended victim opens the attachment, the NSIS installer is downloaded, which is turn decrypts and runs the malware.



Leave a Reply

You must be logged in to post a comment.