Ransomware operators are hiding malware deeper in installer packages
msft-mmpcMarch 15, 2017
We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others.
Cybercriminals have been known to hide malware in Nullsoft Scriptable Install System (NSIS) installer files. As antivirus software effectively detect these installer files, cybercriminals are once again updating their tools to penetrate computers.
The new malicious NSIS installers visibly attempt to look as normal as possible by incorporating non-malicious components that usually appear in legitimate installers:
- More non-malicious plugins, in addition to the installation engine system.dll
- A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones
- A non-malicious uninstaller component uninst.exe
The most significant change, however, is the absence of the usual randomly named DLL file, which was previously used to decrypt the encrypted malware. This change significantly reduces the footprint of malicious code in the NSIS installer package.
|
|
|
