The latest versions of ransomware have been around since mid-January, finding great success in getting into computer bypassing anti virus programs and through the use of a common day today gaps within the operating system that allows the ransomware to bury itself inside normal NSIS installers (which is short for Nullsoft Scriptable Install System), and use several layers of unintelligible code and encryption to hide before executing in memory.
It’s not known whether the infrastructure supporting these attacks is being sold on private forums, or whether the malware authors are sharing code. What’s known is the latest versions of these crypto-ransomware families are doing the exact same behaviours.
Attackers are always finding ways to execute malware in a way that was not being used before. As soon as a new technique is discovered and dealt with through definition updates, these ransomware infections have already moved on to the next one. The industry has seen in the past two months ransomware using NSIS. It is suspected it’s some kind of infrastructure because it has been the exact same behaviours between different kinds of ransomware.
It is suspected that it’s some kind of infrastructure being sold on the deep web, no one knows for sure. But it’s definitely some kind of common infrastructure because the behaviours are exactly the same. it appears to be quite common over the past two months. Even the new versions of Locky and Cerber and using NSIS.
NSIS, which is short for Nullsoft Scriptable Install System, is an open source system that’s used to build Windows installers. This is key for the attackers behind these campaigns to hide the ransomware executable from detection systems. According to a report, a SYSTEM plugin used with the NSIS installers calls the Win32API, allowing the attacker to allocate executable memory and execute a code stub that decrypts the ransomware.
With the SYSTEM plugin, it can call functions inside Windows and do whatever it wants.
What they are doing is allocating executable memory, putting the code inside the memory they have been allocated and then just executing the code. The code is camouflaged , so you have only a small stub which is in charge of XOR’ing the next step of the code. Security vendors are unable to see what the actual code is doing. They can only see what the small stub is doing, and the small stub is doing basically nothing, just XOR’ing some small bytes.
The NSIS installer gives the attackers an easy way to execute code.
For example the attacks also use the Heaven’s Gate technique to call 64-bit code from a 32-bit process, which is this case is done to bypass API hooks used in detection systems. It uses system calls instead of standard APIs and adding that Heaven’s Gate is also used for code camouflage because existing code debuggers aren’t the best when 64-bit code is executed from a 32-bit process.
The attacks also use a process known as Process Hollowing to execute the installer. Here, attackers create processes in a suspended state and replace the process image with one that the attacker wants to remain hidden. The installer, he said, is also encrypted inside the NSIS installer and decrypted at runtime. Even this particular technique is a riff on traditional Process Hollowing.
Everything happens inside of memory. You PC is executing the process in a suspended state, replacing the image with the image of the ransomware and redirecting the entry point of the new process to the other code, and then what happens is the program resumes the process and it goes to other code and not the original.
Creating processes in a suspended state and remapping images are both suspicious activities.
What is scary is that attackers are implementing Process Hollowing each time in a different way to make things more complicated and much harder to trace. Executing a process in a suspended state is OK. But when these new codes are replacing the image, this is suspicious. The way they were implementing these techniques, this is the first time it has been seen. The executables are OK when scanned by a vendor, but once it passes this, they are allowed to do whatever you want. This is way they are implementing it in this way.
As always if you are concerned about these activities or wish to ask some questions please don't hesitate in contacting GreyFusion either by email email@example.com or visit our website www.greyfusion.co.uk
Best practice is to always have a backup of your files and then you will never be in a position of losing a Photo, Video or file again...
Cloud backup service are always available http://www.greyfusion.co.uk/cloud-backup-service
IT Support Witney