Cybercriminals have evolved malicious NSIS installers in order to more effectively dodge anti-virus detection when distributing ransomware such as Cerber, Locky and CryptoLocker, Microsoft reported.
Cybercriminals have evolved malicious NSIS installers in order to more effectively dodge anti-virus detection when distributing ransomware such as Cerber, Locky and CryptoLocker, Microsoft reported.

Ransomware distributors are evolving their technique for using NSIS installers to package and execute malicious software such as Cerber and Locky, according to a new report from Microsoft. These updates likely correspond to a recent increase in the number of unique NSIS installers found dropping ransomware beginning this past February, the company has theorized.

NSIS, or Nullsoft Scriptable Install System, is a flexible open-source system for creating Windows installers that cybercriminals have already used in past ransomware campaigns. But these newer installers feature significant updates that are designed to evade anti-virus detection by incorporating non-malicious components in an attempt to appear legitimate, the Microsoft Malware Protection Center warned in a blog post on Wednesday. Microsoft listed these non-malicious elements as follows:

  • More non-malicious plugins, in addition to the installation engine system.dll
  • A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones
  • A non-malicious uninstaller component uninst.exe

Unlike older versions, the newer NSIS installers do not include randomly named DLL files that were originally used to decrypt the encrypted malware during the installation process. To avoid this telltale indicator of malicious activity and "reduce the footprint of malicious code," the newer versions instead task the obfuscated NSIS installation script itself with loading the encrypted data file in memory and executing its code area.

"By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions," stated Microsoft in the blog post, noting that the volume of unique NSIS installers dropping ransomware spiked to more than 1,100 per day during the late February-early March timeframe.

When NSIS installers are used to deliver ransomware, potential victims typically receive emails that are crafted to look like invoices. These emails contain malicious attachments that, when opened, download the NSIS installer, which in turn decrypts and runs the malware, Microsoft explained. In addition to Cerber and Locky, other ransomwares commonly distributed via NSIS installers include CryptoLocker (Teerac), CryptoWall (Crowti), Wadhrama and CTB-Locker (Critroni).