Malware Hides in Installer to Avoid Detection

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this case four families have the same executable format to hide the malicious code.

The malicious NSIS package contains a DLL (acting as a decryptor and injector) and an encrypted executable payload. Once onboard an infected machine, the NSIS package drops a DLL and two data files and loads the DLL. The DLL decrypts the two data files and executes the final payload using process hollowing, a technique used by malware in which the original code is replaced with malicious code. If we were to analyze the DLL alone, we would not conclude that it was malicious because it relies on encrypted data in the two data files.

We found four malware families using this technique:

  • Cerber
  • Gamarue
  • Kovter
  • ZCrypt

Evading security products

Because the malicious payload and APIs are in encrypted and do not fall under any specific file formats, antimalware scanners will usually omit scanning these files. They also act as efficient hash busters and easily bypass emulation techniques. When these files are copied into other directories, the malware keep the NSIS file format to strengthen their defense. We also noticed that the decryption logic varies slightly among the malware.


The malware are distributed via spam campaigns:


A ZIP archive contains the executable:


NSIS file identification

The start of the overlay+8 offset contains the “NullsoftInst” string:


Malicious NSIS package

The sample we analyzed has the following components inside the NSIS package.

  • e: Data file contains encrypted APIs used for process hollowing.
  • fsv: Data file contains the final encrypted payload.
  • dll: Malicious DLL decrypts data files and executes the process hollowing.

The encrypted data file geanticline.e:


The decrypted geanticline.e:


The encrypted payload (tache.fsv):


The decrypted payload:


Decryption code for process hollowing APIs

Code in OpenCandy.dll decrypts both data files. The following code accesses the files:


The decryption key that unlocks the data file lies in the data filename itself. The decryption logic appears in the following screen:


An XOR operation decrypts the data file.

Decryption code for payload

We found the decryption key resides inside the DLL and varies among the malware families.

Decryption key location:


Decryption code:


Decryption logic for process hollowing

We employed python to write the decryption logic used by the malware. The encrypted data file path should be passed as an argument.

For each malware family, the value of MAXKEYINDEX can be changed or be equal to KEYLEN.


Decryption logic for payload



MD5 hash: 5AF3BED65AEF6F0113F96FD3E8B67F7A

I would like to thank my colleagues Sivagnanam G N and Manjunatha Shankaranarayana for their help with this analysis.

The post Malware Hides in Installer to Avoid Detection appeared first on McAfee.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of Intel Security, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about Intel Security’s responsibility as a leading security vendor to set an example for the industry by pushing the boundaries of threat intelligence sharing.

We believe that by sharing threat intelligence, we can shift the balance of power away from the adversaries and back to us, the defenders. By crowdsourcing threat data and leveraging collaborative analytics, we can “connect the dots” to form better pictures of the attacks and adversaries that surround our customers. Collectively, we can deliver better protection.

Leading by example, Intel Security partnered with other leading cybersecurity solution providers in 2014 to form the Cyber Threat Alliance (CTA). CTA members share threat information, raising our situational awareness about advanced threats, including the motivations, tactics, and the actors behind them. Once shared, CTA members can automatically deploy prevention controls to stop the identified threats. Based on collaborative research, we also published a joint threat research report late last year around our collective analysis of the CryptoWall Version 3 campaign.

Intel Security is also helping drive the development of voluntary standards for those who wish to establish threat intelligence sharing organizations. We lead several committees within the Information Sharing and Analysis Organization (ISAO) Standards Organization, established through a US Presidential order in 2015. The ISAO SO’s objective is to encourage threat information sharing within the private sector and between the private sector and government.

To gain a better understanding of threat intelligence sharing and Intel Security’s leadership in driving its development, we recently created a web page that educates and shows how we use threat intelligence sharing to better protect our customers. You can visit the page here.

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee.

Apple Releases Security Update

Original release date: August 25, 2016

Apple has released a security update to address multiple vulnerabilites in iOS. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system. The update is for iPhone 4s and later, iPad 2 and later, and iPod touch (5th generation) and later.

US-CERT encourages users and administrators to review the Apple security page for iOS 9.3.5 and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Actively exploited iOS flaws that hijack iPhones patched by Apple

Enlarge / iPhone Spyware known as Pegasus intercepts confidential data. (credit: Lookout)

Apple has patched three high-severity iOS vulnerabilities that are being actively exploited to infect iPhones so attackers can steal confidential messages from a large number of apps, including Gmail, Facebook, and WhatsApp, security researchers said Thursday.

The spyware has been dubbed Pegasus by researchers from mobile security provider Lookout; they believe it has been circulating in the wild for a significant amount of time. Working with researchers from University of Toronto-based Citizen Lab, they have determined that the spyware targeted a political dissident located in the United Arab Emirates and was launched by an US-owned company specializing in computer-based exploits. Based on the price of the attack kit—about $8 million for 300 licenses—the researchers believe it's being actively used against other iPhone users throughout the world.

"Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile—always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists," Lookout and Citizen Lab researchers wrote in a blog post. "It is modular to allow for customization and uses strong encryption to evade detection."

Read 8 remaining paragraphs | Comments