tao Posted March 16, 2017 Share Posted March 16, 2017 Ransomware operators are hiding malware deeper in installer packages We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others. Cybercriminals have been known to hide malware in Nullsoft Scriptable Install System (NSIS) installer files. As antivirus software effectively detect these installer files, cybercriminals are once again updating their tools to penetrate computers. The new malicious NSIS installers visibly attempt to look as normal as possible by incorporating non-malicious components that usually appear in legitimate installers: More non-malicious plugins, in addition to the installation engine system.dll A .bmp file that serves as a background image for the installer interface, to mimic legitimate ones A non-malicious uninstaller component uninst.exe Please, if interested, read the rest of a rather technical article at the link (at the top). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.