Threat Management, Malware, Ransomware

Microsoft: Malicious NSIS installers used to disperse ransomware evolve and grow in number

Ransomware distributors are evolving their technique for using NSIS installers to package and execute malicious software such as Cerber and Locky, according to a new report from Microsoft. These updates likely correspond to a recent increase in the number of unique NSIS installers found dropping ransomware beginning this past February, the company has theorized.

NSIS, or Nullsoft Scriptable Install System, is a flexible open-source system for creating Windows installers that cybercriminals have already used in past ransomware campaigns. But these newer installers feature significant updates that are designed to evade anti-virus detection by incorporating non-malicious components in an attempt to appear legitimate, the Microsoft Malware Protection Center warned in a blog post on Wednesday. Microsoft listed these non-malicious elements as follows:

  • More non-malicious plugins, in addition to the installation engine system.dll
  • A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones
  • A non-malicious uninstaller component uninst.exe

Unlike older versions, the newer NSIS installers do not include randomly named DLL files that were originally used to decrypt the encrypted malware during the installation process. To avoid this telltale indicator of malicious activity and "reduce the footprint of malicious code," the newer versions instead task the obfuscated NSIS installation script itself with loading the encrypted data file in memory and executing its code area.

"By constantly updating the contents and function of the installer package, the cybercriminals are hoping to penetrate more computers and install malware by evading antivirus solutions," stated Microsoft in the blog post, noting that the volume of unique NSIS installers dropping ransomware spiked to more than 1,100 per day during the late February-early March timeframe.

When NSIS installers are used to deliver ransomware, potential victims typically receive emails that are crafted to look like invoices. These emails contain malicious attachments that, when opened, download the NSIS installer, which in turn decrypts and runs the malware, Microsoft explained. In addition to Cerber and Locky, other ransomwares commonly distributed via NSIS installers include CryptoLocker (Teerac), CryptoWall (Crowti), Wadhrama and CTB-Locker (Critroni).

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.