CheckPoint Releases New Methodologies for Malicious NSIS-Based Packages for AgentTesla, Remcos, and XLoader Malware

CheckPoint Researchers have released new findings detailing new methodologies to unpack malicious Nullsoft Scriptable Install System (NSIS)-based packages, which have been used in attacks propagating from AgentTesla, Remcos, and XLoader malware.
malware

Executive Summary

CheckPoint Researchers have released new findings detailing new methodologies to unpack malicious Nullsoft Scriptable Install System (NSIS)-based packages, which have been used in attacks propagating from AgentTesla, Remcos, and XLoader malware. The article also introduces NSIXloader, an NSIS-based crypter, and discusses how to create this tool to automatically unpack these samples for further analysis.

Community Threat Assessment

While analyzing malware campaigns, CheckPoint found that NSIS-based packers are used with various malware types, including AgentTesla, Remcos, and XLoader. These packers typically have a structure with encrypted files and a DLL in the $PLUGINSDIR directory that decrypts and executes the payload.

Technical Background

NSIS packages are self-extracting archives with installation scripts. Cybercriminals typically use them to hide malicious DLLs or executables that unpack and execute encrypted payloads. To analyze and extract data from NSIS-based malware, the packed files must be unpacked, which can be done by running the malware in a sandbox environment, such as CAPE, and extracting memory dumps.

While analyzing malware campaigns, CheckPoint found that NSIS-based packers are used with various malware types, including AgentTesla, Remcos, and XLoader. These packers typically have a structure with encrypted files and a DLL in the $PLUGINSDIR directory that decrypts and executes the payload.

To automate unpacking, 7-Zip can be used to extract files from NSIS packages, and Python scripts can extract encryption keys from the DLLs. The decryption process involves using these keys to decrypt shellcode, which is position-independent and resolves Windows API functions by their hashes. The payload is decrypted using specific algorithms that vary with each sample, requiring customized unpacking scripts.

Variants of NSIS-based packers include those with shellcode embedded in the DLL, executables instead of DLLs, shellcode in resources, and RC4-encrypted payloads. Each variant has different complexities, such as different storage and decryption methods for the shellcode. Automated tools for unpacking these variants help analysts retrieve unencrypted malware for further analysis.

Indicators of Compromise

The following IOCs, provided below by CheckPoint, are provided for community awareness and ingestion:

SHA256 Payload
12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6 XLoader
44e51d311fc72e8c8710e59c0e96b1523ce26cd637126b26f1280d3d35c10661 XLoader
00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8 XLoader
3f7771dd0f4546c6089d995726dc504186212e5245ff8bc974d884ed4f485c93 Remcos
160928216aafe9eb3f17336f597af0b00259a70e861c441a78708b9dd1ccba1b XLoader
cd7976d9b8330c46d6117c3b398c61a9f9abd48daee97468689bbb616691429e Agent Tesla
a3e129f03707f517546c56c51ad94dea4c2a0b7f2bcacf6ccc1d4453b89be9f5 404 Keylogger
bb8e87b246b8477863d6ca14ab5a5ee1f955258f4cb5c83e9e198d08354bef13 Formbook
178f977beaeb0470f4f4827a98ca4822f338d0caace283ed8d2ca259543df70e Lokibot
80db5ced294160666619a79f0bdcd690ad925e7f882ce229afb9a70ead46dffa Warzone
090979bcb0f2aeca528771bb4a88c336aec3ca8eee1cef0dfa27a40a0a06615c
 

More Recent Blog Posts