The ASEC analysis team recently discovered attackers distributing multiple malicious files with NSIS installers.
NSIS (Nullsoft Scriptable Install System) is normally used to create installers for certain programs. It can be also used for creating malware strains as it is script-based and thus makes nearly identical forms for NSIS installers.
NSIS installer-type malware strains have been used a lot by attackers. The type introduced in this post includes multiple malicious files in a single installer: running one file will infect the system with various malware strains.
Inside the NSIS installer is a file named setup_installer.exe and the NSI script as shown below.
The script simply has a routine for running setup_installer.exe. It does not have anti-sandbox techniques such as obfuscation or time delay.
setup_installer.exe consists of 7Zip SFX (Self-extracting archive) that can extract internally compressed files to a certain folder and run certain programs.
The setup_installer.exe file contains malicious files, library files, and setup_install.exe (15 in total). When the installer is run, it is automatically decompressed in the %TEMP% (temporary folder) \7zS[random 8 characters] folder and runs setup_install.exe when the process is complete.
The file uses Powershell to set an exclusion for MS Defender on the %TEMP% folder and runs 15 malicious files in order.
The figure below shows the process explained above.
The file distributes various malware types in a package form including info-leaking malware such as AgentTesla, RedLine, and SmokeLoader, downloaders such as BeamWinHTTP, STOP ransomware, etc.
As the malicious files mentioned above are often disguised as installers, users should take caution when downloading files from unknown sources. They should also refrain from downloading illegal software as installing it can infect the system with malware strains.
Users should also update the anti-malware software they are using to the latest version. As for V3 products, you can set the compressed file option to detect the malware type more effectively.
AhnLab V3 detects and blocks the malware using the aliases below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.