The Stack Archive

Ransomware authors burying payloads deeper in installer packages

Thu 16 Mar 2017

New research from Microsoft’s security labs has revealed that ransomware creators are becoming more innovative in their determination to bury malicious payloads inside what appear to be regular and valid installer mechanisms.

According to Microsoft, the malware authors are obscuring malicious content by mimicking apparently benign installer components – elements which lie far deeper in an installer assembly than has been the trend in recent years, and which are likely to be increasingly resistant to the efforts of anti-virus or other heuristics-based procedures designed to attempt to identify malware.

Authors use Nullsoft Scriptable Install Systems (NSISs) to deploy malware, but Microsoft note one particularly radical development in their methodology of late:

‘The most significant change,…is the absence of the usual randomly named DLL file, which was previously used to decrypt the encrypted malware. This change significantly reduces the footprint of malicious code in the NSIS installer package.’

'Comparison of contents of old NSIS installers and the updated installers, highlighting the absence of the randomly named DLL file in the updated version'

Microsoft observes a rapid uptake in ransomware authors’ adoption of the technique, which abandons the use of a readily-identifiable DLL – tasked with decrypting the ransomware package – with the use of a cloaked installation script, which issues a call to a new code area (12137), after payload decryption has occurred.

The new code area represents the initial decryption layer of the framework which will ultimately install and deliver the ransomware on the target machine, decrypting piecemeal – but enough to keep the procedure alive without presenting a recognisable footprint to AV or security scans which are merely evaluating the passive file structure of the installer.


Microsoft has observed NSIS installers configured in this manner delivering a range of ransomware, including Cerber, Locky, Teerac (a.k.a. Crypt0L0cker), Crowti (a.k.a. CryptoWall), Wadhrama and Critroni (a.k.a. CTB-Locker).

NSIS was originally created to facilitate the distribution of multi-platform media player WinAmp, on Windows, but its efficacy caused it to become widely adopted, licensed from Nullsoft, by such major players as Amazon, Ubisoft, McAfee and DropBox.


Microsoft news research security
Send us a correction about this article Send us a news tip