Executive Summary
CheckPoint Researchers have released new findings detailing new methodologies to unpack malicious Nullsoft Scriptable Install System (NSIS)-based packages, which have been used in attacks propagating from AgentTesla, Remcos, and XLoader malware. The article also introduces NSIXloader, an NSIS-based crypter, and discusses how to create this tool to automatically unpack these samples for further analysis.Community Threat Assessment
While analyzing malware campaigns, CheckPoint found that NSIS-based packers are used with various malware types, including AgentTesla, Remcos, and XLoader. These packers typically have a structure with encrypted files and a DLL in the $PLUGINSDIR directory that decrypts and executes the payload.Technical Background
NSIS packages are self-extracting archives with installation scripts. Cybercriminals typically use them to hide malicious DLLs or executables that unpack and execute encrypted payloads. To analyze and extract data from NSIS-based malware, the packed files must be unpacked, which can be done by running the malware in a sandbox environment, such as CAPE, and extracting memory dumps.
While analyzing malware campaigns, CheckPoint found that NSIS-based packers are used with various malware types, including AgentTesla, Remcos, and XLoader. These packers typically have a structure with encrypted files and a DLL in the $PLUGINSDIR directory that decrypts and executes the payload.
To automate unpacking, 7-Zip can be used to extract files from NSIS packages, and Python scripts can extract encryption keys from the DLLs. The decryption process involves using these keys to decrypt shellcode, which is position-independent and resolves Windows API functions by their hashes. The payload is decrypted using specific algorithms that vary with each sample, requiring customized unpacking scripts.
Variants of NSIS-based packers include those with shellcode embedded in the DLL, executables instead of DLLs, shellcode in resources, and RC4-encrypted payloads. Each variant has different complexities, such as different storage and decryption methods for the shellcode. Automated tools for unpacking these variants help analysts retrieve unencrypted malware for further analysis.
Indicators of Compromise
The following IOCs, provided below by CheckPoint, are provided for community awareness and ingestion:
| SHA256 | Payload |
| 12a06c74a79a595fce85c5cd05c043a6b1a830e50d84971dcfba52d100d76fc6 | XLoader |
| 44e51d311fc72e8c8710e59c0e96b1523ce26cd637126b26f1280d3d35c10661 | XLoader |
| 00042ff7bcfa012a19f451cb23ab9bd2952d0324c76e034e7c0da8f8fc5698f8 | XLoader |
| 3f7771dd0f4546c6089d995726dc504186212e5245ff8bc974d884ed4f485c93 | Remcos |
| 160928216aafe9eb3f17336f597af0b00259a70e861c441a78708b9dd1ccba1b | XLoader |
| cd7976d9b8330c46d6117c3b398c61a9f9abd48daee97468689bbb616691429e | Agent Tesla |
| a3e129f03707f517546c56c51ad94dea4c2a0b7f2bcacf6ccc1d4453b89be9f5 | 404 Keylogger |
| bb8e87b246b8477863d6ca14ab5a5ee1f955258f4cb5c83e9e198d08354bef13 | Formbook |
| 178f977beaeb0470f4f4827a98ca4822f338d0caace283ed8d2ca259543df70e | Lokibot |
| 80db5ced294160666619a79f0bdcd690ad925e7f882ce229afb9a70ead46dffa | Warzone |
| 090979bcb0f2aeca528771bb4a88c336aec3ca8eee1cef0dfa27a40a0a06615c |
