NSIS installers are now used in Cerber ransomware campaigns to sidestep antivirus solutions
Cerber ransomware continuously evolves, and this time we must warn computer users about ongoing spam campaigns that distribute Cerber malware. Malicious campaigns can be separated into two phases – customization and delivery of spam messages and the infection itself. It seems that actors behind Cerber ransomware project no longer waste their time trying to compose convincing email messages – they simply use “Blank Slate” technique – they send out blank emails (no contents in the message body) that carry some attachments. These attachments are highly dangerous – you can recognize them quite easily at the moment because they are titled with a random set of digits, for example, 43336834502446.zip, but you can receive a file called EMAIL_668403790854085_[recipient].zip or similar, too. At the moment, Cerber arrives in the form of any of these malicious attachments:
- .LNK files that carry PowerShell scripts;
- Documents that are filled with malicious scripts that can get activated with Macros function.
If you have ever expressed interest in Cerber distribution techniques and infection routine, you probably know that after opening a malicious file attachment, the malicious code in it gets activated, connects to a ransomware-hosting server, and downloads a sample of ransomware to the target computer. Such sample gets executed automatically. However, the analysis from Microsoft reveals that Cerber developers are slowly changing the attack vector and now they are using a new trick to bypass antivirus detection. It turns out that the latest Cerber versions are packed within malicious Nullsoft Scriptable Install System (NSIS) installer files. The real NSIS is an open-source system developed by Nullsoft, Inc., which is used to create installers or uninstallers for various computer programs. It seems that the popularity of this tool has drought criminals’ attention and they decided to exploit it for their own benefit.
This installer enters the computer system as soon as the victim opens the malicious attachment sent to him/her via email. The fake NSIS installer archive now contains more legitimate components to deceive antivirus systems and besides, the randomly named DLL file, which was earlier used to decrypt and run the encrypted virus file, is missing. It seems that malware developers have decided to put the Nullsoft installation script in charge of loading the encoded data file in memory and running its code. It seems that Cerber developers keep changing the malicious installer package to prevent antivirus programs from detecting the malware easily.
We must add that Cerber ransomware is not the only virus that spreads with the help of malware-laden NSIS installers. Research shows that an infamous virus Locky, Crypt0l0cker, CTB-Locker, and CryptoWall have also been distributed via the same technique. If you want to stay safe, please, avoid opening suspicious emails sent by unknown people, and create backups to be prepared for a ransomware attack. Remember – it is better to be safe than sorry!
- ^ The new variant of Cerber ransomware doesn’t even bother changing the original file name. Virus Activity Blog. The latest news about computer viruses.
- ^ Brad Duncan. “Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware. Palo Alto Networks Blog. Cyber security news, malware analysis and more.
- ^ 2017-03-15 - "Blank Slate" Malspam Campaign Spreading Cerber Ransomware. Malware Traffic Analysis. News about current malware strains, tutorials and examples of traffic analysis.
- ^ No slowdown in Cerber ransomware activity as 2016 draws to a close. Microsoft Malware Protection Center Blog. Threat Research & Response.
- ^ Ransomware operators are hiding malware deeper in installer packages. TechNet blogs. The latest information, insights, announcements, and news from Microsoft experts and IT professionals.