Security Alert
Jonathan Crowe
Mar 2017

Alert: New Wave of Ransomware is Bypassing Security by Hiding in NSIS Installers

Photo by Source

Key Details

  • empty
  • empty
  • empty
  • empty
  • empty
  • empty
  • empty
  • empty


Key details:

  • Type of attack: Ransomware hidden in NSIS installer files 
  • Attack vector: Email
  • Damage: As of yet unknown, but researchers have spotted a major uptick in infections beginning in December

A new slew of ransomware campaigns are infecting companies thanks to an improved method of avoiding detection — hiding malicious code deep within NSIS installers.

According to researchers at Microsoft, adoption of the technique appears to be widespread, with Cerber, Locky, and other popular ransomware families all getting in on the act in "a collective move by attackers to once again dodge AV detection."

Beginning last December, the volume of these attacks has experienced a significant uptick, putting more and more companies at risk.


Increase in NSIS installers that drop ransomware. Source: Microsoft


What are NSIS installers? And why are attackers using them?

Short for Nullsoft Scriptable Install System, NSIS is an open source system that software developers have been using for years to create installers for their applications.

If you've ever installed Dropbox, Gmail, or a host of other software and services, then you've utilized NSIS installers.

Attackers have a history of leveraging NSIS installers, as well. The main draw? Well, for starters NSIS has a powerful scripting language specifically designed to help install things. It's also open source, which means customization opportunities galore. For an attacker, what's not to like? 

Going fileless to avoid detection

The downside for attackers was that AV vendors had gradually caught wind of what they were up to. Eventually, they had found a way to identify and block malware-packed NSIS installers by keeping an eye out for an additional suspicious DLL file attackers were including for use in decrypting and deploying the encrypted payload.

But now attackers are ditching that red flag DLL file in favor of utilizing a NSIS installation script plugin to load their malicious code into memory and decrypt and execute it from there. By making that change and going "fileless" these attacks are now actively evading detection from antivirus and next-gen antivirus programs.

Tom Nipravsky, a security researcher with Deep Instinct who posted an in-depth write-up of these attacks, explained it this way over at Threatpost

“With the SYSTEM [NSIS installer] plugin, you can call functions inside Windows and do whatever you want. What they are doing is allocating executable memory, putting the code inside the memory they have been allocated, and then just executing the code.

"Because the code is obfuscated, you have only a small stub which is in charge of XOR’ing the next step of the code. Security vendors are unable to see what the actual code is doing. They can only see what the small stub is doing, and the small stub is doing basically nothing, just XOR’ing some small bytes.”

— Tom Nipravsky, Deep Instinct

These attacks are also leveraging several additional sophisticated techniques to gain execution while obfuscting their code, including process hollowing and "Heaven's Gate," a technique for calling 64-bit code from a 32-bit process popularized by banking trojan Vawtrak. For more details on those, see Nipravsky's in-depth write-up.

How are these new ransomware campaigns infecting victims?

Based on what Microsoft has observed so far, these updated NSIS installers are being used in campaigns delivering the following ransomware:

  • Cerber
  • Locky
  • Teerac (aka Crypt0L0cker)
  • Crowti (aka CryptoWall)
  • Wadhrama
  • Critroni (aka CTB-Locker)

At the moment, these campaigns are primarily being distributed via phishing emails (many disguised as invoices) containing any of the following attachments:

What makes these attachment types dangerous is that they're smugglling malicious scripts onto machines via otherwise legitimate file types to avoid detection.

Blocking these sophisticated attacks at runtime

Despite all these complex techniques that are resulting in these attacks getting past antivirus and next-gen antivirus programs, Barkly has been able to block them thanks to its use of runtime malware defense (RMD).  

That's because these evasive techniques have been primarily designed to avoid detection from pre-execution defenses — solutions like antivirus that attempt to block malware by noticing when files look suspicious.

In contrast, RMD blocks malware by noticing suspicious activity (in this case, code injection and process hollowing are big red flags). 

Find out more about how RMD works in our Complete Guide to Runtime Malware Defense. 

To see RMD in action, check out our post, "Stopping Cerber During Runtime".  

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.