{"id":91112,"date":"2022-10-21T13:31:28","date_gmt":"2022-10-21T08:01:28","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91112"},"modified":"2023-06-17T16:44:38","modified_gmt":"2023-06-17T11:14:38","slug":"are-malware-operators-using-nsis-installers-to-bombard-stealers-and-avoid-detection","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/are-malware-operators-using-nsis-installers-to-bombard-stealers-and-avoid-detection\/","title":{"rendered":"Are Malware operators using NSIS Installers to bombard Stealers and avoid detection?"},"content":{"rendered":"

 <\/p>\n

Threat actors have been using new techniques to hide their codes and avoid detection in every manner. They now use a new trend through NSIS (Nullsoft Scriptable Install System), which is an open-source installer that can bundle various files together. In the past, Malware attackers<\/a> have used this NSIS-based crypter to hide themselves. This trend has been observed in malware families such as Lokibot, Ave Marie stealer, AgentTesla, Formbook, etc. This blog describes deeper insights into the new trend of cyber-attacks.<\/p>\n

ANALYSIS- LOKIBOT<\/strong><\/h3>\n

Let us look into the below hash (2D4739AB2D34EEC849D903E05E8E0EB4).<\/p>\n

This is an NSIS file that can be identified through the DIE tool<\/p>\n

\"\"<\/p>\n

Fig 1: DIE Tool showing NSIS<\/em><\/strong><\/p>\n

On extracting the file using 7zip, we can see the contents in the folder. It has two encrypted payloads and an executable inside it. On execution, all the files are dropped in the %temp% folder.<\/p>\n

\u00a0 \"\"\u00a0 \u00a0 \u00a0 \u00a0Fig 2: Inside the NSIS file<\/em><\/strong><\/p>\n

Let us now look into the executable jyacil.exe (MD5: 81EC4B73F581DD36CBDBB6C695CD038C). The file allocates memory using VirtualAlloc API and then copies the encrypted payload (botredmnra-6kb) into that allocated space.<\/p>\n

\"\"<\/p>\n

Fig 3: Virtually Allocated memory containing the encrypted payload<\/em><\/strong><\/p>\n

This payload is decrypted into shellcode by the decryption loop followed.<\/p>\n

\"\"<\/p>\n

Fig 4: Decryption loop<\/em><\/strong><\/p>\n

The code flow now moves into the decrypted shellcode, which is directly responsible for decrypting the bigger payload.<\/p>\n

\"\"<\/p>\n

Fig 5: Decrypted shellcode<\/em><\/strong><\/p>\n

Now the bigger encrypted file is read from %temp% using ReadFile API and copied into virtually allocated memory. Then the file is decrypted by a big decryption loop whose chunks are present below. It is a massive loop, so only a few fragments are shown in the picture.<\/p>\n

\"\" \"\"<\/p>\n

Fig 6: Decryption loop<\/em><\/strong><\/p>\n

\"\" \"\" \"\"<\/em><\/p>\n

Fig 7: Decryption loop<\/em><\/strong><\/p>\n

This decryption brings in another PE file which is the actual payload.<\/p>\n

\"\"<\/p>\n

Fig 8: Payload<\/em><\/strong><\/p>\n

After this, process hollowing is done, and the actual malware payload performs its activity. Let us now focus on the actual malware (md5: C6085AED2E2C782F81CCCA6B5FACA13E[Visual C++ compiler]).<\/p>\n

The malware creates a mutex to make sure only one instance is running. It then creates a file <randomname>.tmp to store all stolen information. This random name is formed by two unique strings present in the file.<\/p>\n

\"\"<\/p>\n

Fig 9: Unique strings to form random name<\/em><\/strong><\/p>\n

\u00a0The C2 URL is hardcoded, which is later decrypted.<\/p>\n

\"\"<\/p>\n

Fig 10: Hardcoded URL<\/em><\/strong><\/p>\n

\"\"<\/p>\n

Fig 11: C2 Formed after decryption<\/em><\/strong><\/p>\n

This payload is Lokibot stealer, which steals credentials from:<\/p>\n

Comodo, Maplestudio, Google Chrome, Nichrome, RockMelt, Spark, Chromium, Titanium Browser, Yandex, Torch, Mustang Browser, NetSarang, FossaMail, Postbox, MoonChild, NetGate, Total Commander, EasyFTP, FileZilla, KiTTy, etc. and sends to C2 :<\/p>\n

Hxxp[:]\/\/85.202[.]169.172\/goodlife\/five\/fre[.]php<\/p>\n

\"\" \"\"<\/p>\n

Fig 12: Lokibot-related strings<\/em><\/strong><\/p>\n

ANALYSIS- Ave Marie Stealer<\/strong><\/p>\n

We now look into another file belonging to Ave Marie Stealer (MD5: CE488BABC73497C16CE8D2DE5ED218A7). This is also an NSIS-based file.<\/p>\n

Using 7zip, we can see the contents present inside the file:<\/p>\n

\"\"<\/p>\n

Fig 13: Inside NSIS Files<\/em><\/strong><\/p>\n

In this case, dyhqo.exe is responsible for decrypting the jvqnj (8kb file) and forms a shellcode which later decrypts the bigger payload gdrat8hotr11us6qz, which is the actual payload.<\/p>\n

There is a slight change in the decryption loop in the first stage (The remaining file is almost the same):<\/p>\n

\"\"<\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Fig 14: Decryption loop<\/strong><\/em><\/p>\n

After the second stage decryption, we get the Ave Marie stealer (Delphi file) (MD5: E77D247BB34818C0C3352762C7DE0213). Related strings can be seen in the figure. This stealer captures keystrokes and steals data from various browsers such as UCBrowser, CentBrowser, Comodo, Chromium, Blisk, Microsoft Edge, etc.<\/p>\n

\"\" \"\"<\/p>\n

\u00a0Fig 15: <\/em>Ave Marie related strings observed in the inner payload<\/strong><\/p>\n

\"\"<\/p>\n

Fig 16: <\/em><\/strong>C2 URL: danseeeee.duckdns.org:2022<\/em><\/strong><\/p>\n

\u00a0<\/strong>ANALYSIS: AGENTTESLA<\/strong><\/p>\n

Let us now look into another file belonging to Formbook (MD5: 66BE80324D7937C5E17F5D4B08574145). This is also an NSIS based file.<\/p>\n

Using 7zip, we can see the contents inside the file:<\/p>\n

\"\"<\/p>\n

Fig 17: <\/em><\/strong>Inside the NSIS file<\/em><\/strong><\/p>\n

In this case, also omrtoehch.exe is responsible for decrypting the wygeuhclea (6kb file) and forms a shellcode which later decrypts the bigger payload y27ub6kcvxv73holza44, which forms the actual payload.<\/p>\n

There is a change in the decryption loop in the first stage (The remaining file is almost the same). It is a big loop, so chunks of code are shown below:<\/p>\n

\"\" \"\"<\/p>\n

Fig 18: Decryption loop<\/em><\/strong><\/p>\n

After the second stage decryption, we get another payload (Visual C MD5: D0FF8F95A6AA286D781528197255B805).\u00a0 In this file, it can be clearly observed that there is another PE file inside the resources (RCDATA). Let\u2019s extract that and look into what exactly it is (F2E113BE23813F22EAA3B82CCBE535EA).<\/p>\n

\"\"<\/p>\n

Fig 19<\/em><\/strong><\/p>\n

This file is a DOTNET file obfuscated by \u201cObfuscar, \u201cwhich is an open-source .Net Obfuscator.<\/p>\n

\"\"
\nFig 20<\/em><\/strong><\/p>\n

The code is highly obfuscated, and each string is decrypted at runtime. The encoded strings are highlighted. All the characters are stored in a single array of bytes, accessed by <<EMPTY_NAME>><\/p>\n

\"\"<\/p>\n

Fig 21<\/em><\/strong><\/p>\n

The decryption is done by the above list by XOR operation with the encrypted byte, its position on the list, and the decimal number 170.<\/p>\n

\"\"<\/p>\n

Fig 22<\/em><\/strong><\/p>\n

This payload, to access a string, will call the function that returns the string by accessing its position in the list and its length.<\/p>\n

After decrypting the payload, the following strings were found, which are related to AgentTeslaV3:<\/p>\n

\\Account.CFN<\/p>\n

\\Account.stg<\/p>\n

\\accountrc<\/p>\n

\\accounts.xml<\/p>\n

\\Accounts\\Account.rec0<\/p>\n

\\Accounts_New<\/p>\n

\\Apple Computer\\Preferences\\keychain.plist<\/p>\n

\\browsedata.db<\/p>\n

\\cftp\\Ftplist.txt<\/p>\n

\\Claws-mail<\/p>\n

\\clawsrc<\/p>\n

\\Common Files\\Apple\\Apple Application Support\\plutil.exe<\/p>\n

\\Comodo\\IceDragon\\<\/p>\n

\\CoreFTP\\sites.idx<\/p>\n

\\Data\\Tor\\torrc<\/p>\n

\\Default\\<\/p>\n

\\Default\\EncryptedStorage<\/p>\n

\\Default\\Login Data<\/p>\n

\\drivers\\etc\\hosts<\/p>\n

\\EncryptedStorage<\/p>\n

\\falkon\\profiles\\<\/p>\n

\\Mailbox.ini<\/p>\n

\\Microsoft\\Credentials\\<\/p>\n

\\Microsoft\\Edge\\User Data<\/p>\n

\\Microsoft\\Protect\\<\/p>\n

\\Moonchild Productions\\Pale Moon\\<\/p>\n

\\Mozilla\\Firefox\\<\/p>\n

\\Mozilla\\icecat\\<\/p>\n

\\Mozilla\\SeaMonkey\\<\/p>\n

\\NETGATE Technologies\\BlackHawk\\<\/p>\n

\\OpenVPN\\config\\<\/p>\n

\\Opera Mail\\Opera Mail\\wand.dat<\/p>\n

\\passwordstorerc<\/p>\n

 <\/p>\n

INFECTION VECTOR<\/strong><\/p>\n

All these files have the following infection chain<\/p>\n

EMAIL >> DOCUMENT\/XLS\/CAB\/RAR >> NSIS Installers<\/p>\n

\"\"<\/p>\n

Fig 22: Email containing XLSX attachment<\/em><\/strong><\/p>\n

 <\/p>\n

How does Quick heal protect its customers?<\/strong>
\n<\/strong><\/h3>\n

Quick heal protects its customers via following detections:<\/p>\n