Malware Hides in Installer to Avoid Detection

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this case four families have the same executable format to hide the malicious code.

The malicious NSIS package contains a DLL (acting as a decryptor and injector) and an encrypted executable payload. Once onboard an infected machine, the NSIS package drops a DLL and two data files and loads the DLL. The DLL decrypts the two data files and executes the final payload using process hollowing, a technique used by malware in which the original code is replaced with malicious code. If we were to analyze the DLL alone, we would not conclude that it was malicious because it relies on encrypted data in the two data files.

We found four malware families using this technique:

  • Cerber
  • Gamarue
  • Kovter
  • ZCrypt

Evading security products

Because the malicious payload and APIs are in encrypted and do not fall under any specific file formats, antimalware scanners will usually omit scanning these files. They also act as efficient hash busters and easily bypass emulation techniques. When these files are copied into other directories, the malware keep the NSIS file format to strengthen their defense. We also noticed that the decryption logic varies slightly among the malware.

Propagation

The malware are distributed via spam campaigns:

Capture

A ZIP archive contains the executable:

Capture12

NSIS file identification

The start of the overlay+8 offset contains the “NullsoftInst” string:

Capture113

Malicious NSIS package

The sample we analyzed has the following components inside the NSIS package.

  • e: Data file contains encrypted APIs used for process hollowing.
  • fsv: Data file contains the final encrypted payload.
  • dll: Malicious DLL decrypts data files and executes the process hollowing.

The encrypted data file geanticline.e:

Capture1123

The decrypted geanticline.e:

Capture16

The encrypted payload (tache.fsv):

Capture17

The decrypted payload:

Capture12N

Decryption code for process hollowing APIs

Code in OpenCandy.dll decrypts both data files. The following code accesses the files:

Capture4

The decryption key that unlocks the data file lies in the data filename itself. The decryption logic appears in the following screen:

Capture1N

An XOR operation decrypts the data file.

Decryption code for payload

We found the decryption key resides inside the DLL and varies among the malware families.

Decryption key location:

Capture2N

Decryption code:

Capture3N

Decryption logic for process hollowing

We employed python to write the decryption logic used by the malware. The encrypted data file path should be passed as an argument.

For each malware family, the value of MAXKEYINDEX can be changed or be equal to KEYLEN.

Python1

Decryption logic for payload

python2

 

MD5 hash: 5AF3BED65AEF6F0113F96FD3E8B67F7A

I would like to thank my colleagues Sivagnanam G N and Manjunatha Shankaranarayana for their help with this analysis.