The latest versions of Cerber and Locky ransomware have been, since mid-January, finding great success in bypassing existing security detection systems through the use of a common infrastructure that allows the malicious code to bury itself inside NSIS installers, and use several layers of obfuscation and encryption to hide before executing in memory.
It’s unknown whether the infrastructure supporting these attacks is being sold on private forums, or whether the malware authors are sharing code. What’s known is the latest versions of these crypto-ransomware families are exhibiting the exact same behavior.
“Attackers are always finding ways to execute malicious code in a way that was not being used before. As soon as we find out about a new technique, they are moving on to the next one,” said Tom Nipravsky, a security researcher with Deep Instinct. “As we saw in the past two months, the trend is using NSIS. We suspect it’s some kind of infrastructure because we saw the exact same behaviors between different kinds of ransomware.”
Nipravsky, who wrote a report published Monday on these trends, said not only Cerber (versions 5.1 and 4) and Locky (many older versions) are taking advantage of these techniques, but also different versions of Cryptolocker and Cryptowall.
“We suspect maybe it’s some kind of infrastructure being sold on the deep web, we don’t know for sure. But it’s definitely some kind of common infrastructure because the behaviors are exactly the same, 1 to 1,” he said. “It seems to be quite common over the past two months. Even the new versions of Locky and Cerber and using NSIS.”
NSIS, which is short for Nullsoft Scriptable Install System, is an open source system that’s used to build Windows installers. This is key for the attackers behind these campaigns to hide the ransomware executable from detection systems. According to Nipravsky’s report, a SYSTEM plugin used with the NSIS installers calls the Win32API, allowing the attacker to allocate executable memory and execute a code stub that decrypts the ransomware.
“[With the SYSTEM plugin, you can call functions inside Windows and do whatever you want. What they are doing is allocating executable memory, putting the code inside the memory they have been allocated and then just executing the code,” Nipravsky said. “Because the code is obfuscated, so you have only a small stub which is in charge of XOR’ing the next step of the code. Security vendors are unable to see what the actual code is doing. They can only see what the small stub is doing, and the small stub is doing basically nothing, just XOR’ing some small bytes.”
The NSIS installer gives the attackers an easy way to execute code, Nipravsky said. But he cautions there’s much more going on.
For example, he said the attacks also use the Heaven’s Gate technique to call 64-bit code from a 32-bit process, which is this case is done to bypass API hooks used in detection systems. It uses system calls instead of standard APIs, Nipravsky said, adding that Heaven’s Gate is also used for code obfuscation because existing code debuggers aren’t the best when 64-bit code is executed from a 32-bit process.
The attacks also use a process known as Process Hollowing to execute the installer. Here, attackers create processes in a suspended state and replace the process image with one that the attacker wants to remain hidden. The installer, he said, is also encrypted inside the NSIS installer and decrypted at runtime. Even this particular technique is a riff on traditional Process Hollowing, he said.
“Everything happens inside of memory. I’m executing the process in a suspended state, replacing the image with the image of the ransomware and redirecting the entry point of the new process to my code,” Nipravsky said. “What happens when I resume the process is that it goes to my code and not the original code.”
Nipravsky concedes that creating processes in a suspended state and remapping images are both suspicious activities.
“Attackers are implementing Process Hollowing each time in a different way to make things more complicated and much harder to trace,” he said. “Executing a process in a suspended state is OK. But when you are replacing the image, this is suspicious. The way they were implementing these techniques, this is the first time I’ve seen this. The executables are OK when scanned by a vendor, but once you pass this, you are allowed to do whatever you want. This is way they are implementing it in this way.”
