Attackers have a history of leveraging NSIS installers, as well. The main draw? Well, for starters NSIS has a powerful scripting language specifically designed to help install things. It's also open source, which means customization opportunities galore. For an attacker, what's not to like?
Going fileless to avoid detection
The downside for attackers was that AV vendors had gradually caught wind of what they were up to. Eventually, they had found a way to identify and block malware-packed NSIS installers by keeping an eye out for an additional suspicious DLL file attackers were including for use in decrypting and deploying the encrypted payload.
But now attackers are ditching that red flag DLL file in favor of utilizing a NSIS installation script plugin to load their malicious code into memory and decrypt and execute it from there. By making that change and going "fileless" these attacks are now actively evading detection from antivirus and next-gen antivirus programs.
“With the SYSTEM [NSIS installer] plugin, you can call functions inside Windows and do whatever you want. What they are doing is allocating executable memory, putting the code inside the memory they have been allocated, and then just executing the code.
"Because the code is obfuscated, you have only a small stub which is in charge of XOR’ing the next step of the code. Security vendors are unable to see what the actual code is doing. They can only see what the small stub is doing, and the small stub is doing basically nothing, just XOR’ing some small bytes.”
— Tom Nipravsky, Deep Instinct
These attacks are also leveraging several additional sophisticated techniques to gain execution while obfuscting their code, including process hollowing and "Heaven's Gate," a technique for calling 64-bit code from a 32-bit process popularized by banking trojan Vawtrak. For more details on those, see Nipravsky's in-depth write-up.
How are these new ransomware campaigns infecting victims?
Microsoft Office documents with malicious macro codes
What makes these attachment types dangerous is that they're smugglling malicious scripts onto machines via otherwise legitimate file types to avoid detection.
Blocking these sophisticated attacks at runtime
Despite all these complex techniques that are resulting in these attacks getting past antivirus and next-gen antivirus programs, Barkly has been able to block them thanks to its use of runtime malware defense (RMD).
That's because these evasive techniques have been primarily designed to avoid detection from pre-execution defenses — solutions like antivirus that attempt to block malware by noticing when files look suspicious.
In contrast, RMD blocks malware by noticing suspicious activity (in this case, code injection and process hollowing are big red flags).