Microsoft’s Malware Protection Center has identified a new wave of NSIS (Nullsoft Scriptable Install System) installers that seek to evade detection by burying malware deeper in the code.
The changes have been seen in installers that drop ransomware like Cerber, Locky, and others. The installers try to look as normal as possible by incorporating non-malicious components that usually appear in legitimate installers.
Components include more non-malicious plugins, in addition to the installation engine system.dll, there’s also a .bmp file that serves as a background image for the installer interface, to mimic legitimate ones, and a non-malicious uninstaller component uninst.exe. The most significant change, according to Microsoft, is the absence of the usual randomly named DLL file, which was previously used to decrypt the encrypted malware. This change significantly reduces the footprint of malicious code in the NSIS installer package.
Older versions of malicious Nullsoft installers had a package that contained a malicious DLL to decrypt and run the encrypted data file, which contained both the encrypted payload and decryption code. In the new version, the malicious DLL is absent. Instead, the Nullsoft installation script is in charge of loading the encrypted data file in memory and executing its code area, making it look more like a legitimate install.
The latest editions of Windows Defender Antivirus are able to detect the new installer. For more information and details of how to guard against the threat visit the Microsoft Malware Protection Center Blog.
Image Credit: underverse /Shutterstock