In a blog post earlier this month Microsoft provided an in-depth analysis of a new technique in use by ransomware authors to disguise their attempts to hold your data for ransom.
What has made these newly disguised ransomware installers so successful?
These attack involve tampering with a Nullsoft Scriptable Install System (NSIS) installer (used in paid, free and open-source software such as VideoLAN VLC, Wireshark (among others)). In contrast to previously altered installers the attackers have removed their randomly named DLL (defined) which dramatically reduces the chance of detection due to far less code being present. Inclusions of non-malicious plugins, an uninstallation component and a legitimate .bmp image file for use with the installer help to divert attention away from the installer’s real purpose.
The installer instead contains an installation script which would usually automate the installation of the application for you. In this case however an obfuscated (defined here and here) script which calls the Win32API (API, defined) allows an attacker to allocate (make ready for use) an area in the computer’s memory in order to activate a small code fragment to decrypt the ransomware.
As detailed by Deep Instinct’s security researcher Tom Nipravsky; the script is sophisticated since it operates only in memory in addition to being multi-staged. Moreover the shell code (defined) uses a technique known as Heaven’s Gate which allows 64 bit shell code to make use of a 32 bit process (defined) which makes the work of security researchers more difficult since debuggers (defined) cannot easily handle a transition from one architecture to another. This also has the benefit of bypassing API hooks (defined) which are monitored by anti-malware software and makes use of system calls (defined) as opposed to API calls.
Moreover this ransomware uses a technique known as “process hollowing.” This occurs when an attacker creates a process in a suspended state (defined) but replaces it’s in memory code with code the attacker wishes to hide. Finally the attackers use an encrypted installer within NSIS which currently security vendors are unable to trace and is only decrypted when it is about to be used.
How can I protect myself from these threats?
Since the tampered NSIS installers originate from emails you should follow the advice from SANS with regards to email:
Use Caution Opening Email Attachments – A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.
Source: https://www.sans.org/tip-of-the-day (date: 1st March 2017)
Microsoft encourages enterprise/corporate users to upgrade to Windows 10 and make use of its security features to defend against this threat.
Full disclosure: I don’t work for or on behalf of Microsoft nor do I wish to promote their products/services. I have simply provided a link to their advice for corporate users who may already have Windows 10 (or are considering upgrading) in order for them to better protect themselves against this and other threats using the security protections it offers.