Ransomware Operators Hides Malware Deeper In NSIS Installers

In the ransomware campaigns, a wave or new NSIS installers are used. These installers packed significant updates, indicating a collective move by hackers by modifying the way they package the malicious code. The changes are observed in the installers that drop ransomware variants including Locky, Cerber and many other. The cyber hackers are known to hide ransomware in NSIS installer files which stands for Nullsoft Scriptable Install System.

The newly updated or detected NSIS installers mat looks like as normal by incorporating non-malicious components that appear in the legitimate installers. There is a .bmp file that serves as a background image for the installer interface, to mimic legitimate ones, components including more non-malicious plug-ins to the installation engine system.dll and non-malicious uninstaller component uninst.exe. According to the Microsoft, the most insignificant change is the absence of DLL file which was previously used to decrypt malware. This modification reduces the footprint of malicious code in NSIS installer package.

Difference between Newer and Older NSIS installers

The older NSIS installers had a packages that contained malicious DLL file to execute and decrypt the encrypted data or file. But in the newer version, DLL file is absent. The NSIS installation script is in charge of loading encrypted file in memory and execute its area code to look like more legitimate. By updating the function and contents of installer package constantly, cyber hackers hopes to affect more Systems and install ransomware.

NSIS installers in ransomware campaigns

NSIS installers are used in campaigns to deliver ransomware. The scheme opt by the campaigns are as follows :

  1. It spread via Email messages that are crafted to mimic the invoice delivery notification.

  2. Emails messages contains any malicious attachments including JavaScript downloader, JavaScript downloader in .zip files, PowerShell scripts containing .LNK files and documents with notorious macro codes.

  3. When opened, malicious attachment downloads the installer.

  4. Then decrypts and executes ransomware.

Security Solution for evolving threats

The sole intention behind the creators of ransomware is to earn money from victims. If you really do not want to being a victim of such an infection then you need to take some prevention measures which are as follows :

  • Always update your System or installed program with the latest version.

  • Enable the Windows Defender Antivirus to detect new NSIS installers.

  • Use strong password to lock devices and provide the kernel level virtualization based security.

  • Do not open any messages or attachments that arrived from unverified sources or locations.

  • Monitor your network to know abut the suspicious activities.

Leave a Reply

Your email address will not be published. Required fields are marked *