NSIS installers are now used in Cerber ransomware campaigns to sidestep antivirus solutions

Cerber ransomware continuously evolves[1], and this time we must warn computer users about ongoing spam campaigns that distribute Cerber malware. Malicious campaigns can be separated into two phases – customization and delivery of spam messages and the infection itself. It seems that actors behind Cerber ransomware project no longer waste their time trying to compose convincing email messages – they simply use “Blank Slate” technique[2] – they send out blank emails (no contents in the message body) that carry some attachments. These attachments are highly dangerous – you can recognize them quite easily at the moment because they are titled with a random set of digits[3], for example, 43336834502446.zip, but you can receive a file called EMAIL_668403790854085_[recipient].zip or similar, too. At the moment, Cerber arrives in the form of any of these malicious attachments:

  • JavaScripts downloaders archived in .zip files;
  • Basic JavaScript downloaders;
  • .LNK files that carry PowerShell scripts;
  • Documents that are filled with malicious scripts that can get activated with Macros function.

If you have ever expressed interest in Cerber distribution techniques and infection routine[4], you probably know that after opening a malicious file attachment, the malicious code in it gets activated, connects to a ransomware-hosting server, and downloads a sample of ransomware to the target computer. Such sample gets executed automatically. However, the analysis from Microsoft[5] reveals that Cerber developers are slowly changing the attack vector and now they are using a new trick to bypass antivirus detection. It turns out that the latest Cerber versions are packed within malicious Nullsoft Scriptable Install System (NSIS) installer files. The real NSIS is an open-source system developed by Nullsoft, Inc., which is used to create installers or uninstallers for various computer programs. It seems that the popularity of this tool has drought criminals’ attention and they decided to exploit it for their own benefit.

Cerber ransomware spreads via NSIS installers

This installer enters the computer system as soon as the victim opens the malicious attachment sent to him/her via email. The fake NSIS installer archive now contains more legitimate components to deceive antivirus systems and besides, the randomly named DLL file, which was earlier used to decrypt and run the encrypted virus file, is missing. It seems that malware developers have decided to put the Nullsoft installation script in charge of loading the encoded data file in memory and running its code. It seems that Cerber developers keep changing the malicious installer package to prevent antivirus programs from detecting the malware easily.

We must add that Cerber ransomware is not the only virus that spreads with the help of malware-laden NSIS installers. Research shows that an infamous virus Locky, Crypt0l0cker, CTB-Locker, and CryptoWall have also been distributed via the same technique. If you want to stay safe, please, avoid opening suspicious emails sent by unknown people, and create backups to be prepared for a ransomware attack. Remember – it is better to be safe than sorry!

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions