Ransomware operators have changed tactics again, making the job of security vendors harder once more, as they switched to a new method of packing their malware inside NSIS installers.

NSIS, which stands for Nullsoft Scriptable Install System, is an open source scriptable installer/uninstaller system created for Windows PCs by Nullsoft, Inc..

For 16 years, software developers have been using NSIS to create installers for their applications, from Dropbox and McAfee, and from BitTorrent clients to Ubisoft games.

Because of the technology's popularity among developers and instant recognition among users, malware authors haven't shied away from packing their malicious code inside NSIS installers. Furthermore, the technology's open nature helped malware authors create various methods of delivering and hiding their code.

Rising trend of NSIS installers hiding ransomware

Microsoft's Malware Protection Center has recently observed a change in the way malware authors deploy malicious code via NSIS installers.

The changes are at the lowest levels of the installers, at how files are arranged and named inside it. These changes are 100% invisible to end users but are enough to break common security threat detection systems.

Comparison of old and new NSIS installer malware-hiding methods
Comparison of old and new NSIS installer malware-hiding methods (via MMPC)

Furthermore, these new and improved NSIS installers use encryption to hide malicious code, which they load into the PC's memory, decrypt and execute.

According to Microsoft, since December 2016, the number of these new types of NSIS installers laced with malware has been slowly going up.

Recent activity with new model of NSIS installers
Recent activity with new model of NSIS installers (via MMPC)

The company attributes this rise to a few malware distribution campaigns that have used this new infection method. Microsoft suspects that all these campaigns are part of a malware distribution network, from where various cybercrime groups rent distribution services.

Among its most ardent customers are ransomware distributors, such as groups behind campaigns spreading Locky, Cerber, Crypt0L0cker, CTB-Locker, CryptoWall, and Wadhrama.

Main distribution vector is email spam campaigns

The distribution process takes different forms but relies on email spam campaigns, which end up with crooks forcibly downloading an NSIS installer on user PCs and waiting for the user to launch the installer.

Microsoft says it has seen malware authors rely on spam campaigns that spread malicious macro-laced Office documents, JavaScript downloaders, JavaScript downloaders packed inside ZIP files, and .LNK files that contain PowerShell scripts. All these led to the download of a tainted NSIS installer.

Users should be on high alert before running NSIS installers they have not manually and personally downloaded on their computers. They might very well contain ransomware these days.