Ransomware operators are hiding malware deeper in installer packages

Share this…

We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others.

Cybercriminals have been known to hide malware in Nullsoft Scriptable Install System (NSIS) installer files. As antivirus software effectively detect these installer files, cybercriminals are once again updating their tools to penetrate computers.

The new malicious NSIS installers visibly attempt to look as normal as possible by incorporating non-malicious components that usually appear in legitimate installers:

  • More non-malicious plugins, in addition to the installation engine system.dll
  • A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones
  • A non-malicious uninstaller component uninst.exe

The most significant change, however, is the absence of the usual randomly named DLL file, which was previously used to decrypt the encrypted malware. This change significantly reduces the footprint of malicious code in the NSIS installer package.


Figure 1. Comparison of contents of old NSIS installers and the updated installers, highlighting the absence of the randomly named DLL file in the updated version

The adoption of these updated NSIS installers by cybercriminals is quite significant, as reflected in the uptick in the number of unique NSIS installers that drop ransomware starting last month.


Figure 2. There is an increase in volume of unique NSIS installers that drop ransomware

Updated NSIS malware installers

In older versions of malicious Nullsoft installers, the package contained a malicious DLL that decrypts and runs the encrypted data file, which contains both the encrypted payload and decryption code.

In the new version, the malicious DLL is absent. Instead, the Nullsoft installation script is in charge of loading the encrypted data file in memory and executing its code area.

The installation script itself is obfuscated:


Figure 3. Installation script

After loading the encrypted data file into memory, the script gets the offset to the code area (12137):


Figure 4. Part of the code that shows the offset

It then issues a call:


Figure 5. Part of the code that shows the call to the encrypted data file

The code area in the encrypted data file is the first decryption layer:


Figure 6. Data file after first decryption

The script then further decrypts the code, eventually decrypting and running the final payload.

By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions.

NSIS installers in ransomware campaigns

Given the pervasiveness of NSIS installers that distribute ransomware, they are likely part of a distribution network used by attackers to install their malware.

These NSIS installers are used in campaigns that deliver malware, most notably ransomware. The campaigns usually take this scheme:

  1.  The attack vector is email. Email messages are crafted to mimic invoice delivery notification.
  2.  The email messages contain any of the following malicious attachments:
    • JavaScript downloaders
    • JavaScript downloaders in .zip files
    • .LNK files that contain PowerShell scripts
    • Documents with malicious macro codes
  3. The malicious attachment, when opened, downloads the NSIS installer
  4. The NSIS installer then decrypts and runs the malware

We have seen the NSIS installers deliver the following malware, which include notorious ransomware families, in recent campaigns:

  • Cerber
  • Locky
  • Teerac (aka Crypt0L0cker)
  • Crowti (aka CryptoWall)
  • Wadhrama
  • Critroni (aka CTB-Locker)

Real-time security solutions for constantly evolving threats

Cybercriminals will stop at nothing to attempt sidestepping security solutions in order to install malware on your computer. The fact that we’re seeing these innovations in cybercriminal operations that deliver ransomware reveals that they are highly motivated to achieve their ultimate goal: to siphon money off their victims. Unfortunately, for enterprises, the damage of successful malware infection can be so much more than just cash.

At Microsoft, we monitor the threat landscape very closely to detect movements like updated infection techniques. We do this so that we can make sure we provide the best possible protection for our customers. Understanding attacker techniques not only allows us to create solutions for specific attacks but lets us see trends for which more heuristic solutions are needed.

To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigation built into the latest versions of Windows.

Enable Windows Defender Antivirus to detect these new NSIS installers. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing these NSIS installers from executing and downloading their payload.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying scripts that download these malicious installers.

Finally, monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Evaluate it for free.