Microsoft’s Malware Safety Middle has recognized a brand new wave of NSIS (Nullsoft Scriptable Set up System) installers that search to evade detection by burying malware deeper within the code.
The adjustments have been seen in installers that drop ransomware like Cerber, Locky, and others. The installers attempt to look as regular as attainable by incorporating non-malicious elements that normally seem in legit installers.
Elements embody extra non-malicious plugins, along with the set up engine system.dll, there’s additionally a .bmp file that serves as a background picture for the installer interface, to imitate legit ones, and a non-malicious uninstaller element uninst.exe. Probably the most vital change, in keeping with Microsoft, is the absence of the standard randomly named DLL file, which was beforehand used to decrypt the encrypted malware. This transformation considerably reduces the footprint of malicious code within the NSIS installer bundle.
Older variations of malicious Nullsoft installers had a bundle that contained a malicious DLL to decrypt and run the encrypted knowledge file, which contained each the encrypted payload and decryption code. Within the new model, the malicious DLL is absent. As a substitute, the Nullsoft set up script is in command of loading the encrypted knowledge file in reminiscence and executing its code space, making it look extra like a legit set up.
The newest editions of Home windows Defender Antivirus are in a position to detect the brand new installer. For extra data and particulars of the right way to guard towards the menace go to the Microsoft Malware Safety Middle Weblog.
Picture Credit score: underverse /Shutterstock