Evading security products<\/strong><\/h2>\nBecause the malicious payload and APIs are in encrypted and do not fall under any specific file formats, antimalware scanners will usually omit scanning these files. They also act as efficient hash busters and easily bypass emulation techniques. When these files are copied into other directories, the malware keep the NSIS file format to strengthen their defense. We also noticed that the decryption logic varies slightly among the malware.<\/p>\n
Propagation<\/strong><\/h2>\nThe malware are distributed via spam campaigns:<\/p>\n
![\"Capture\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\")
<\/p>\n
A ZIP archive contains the executable:<\/p>\n
![\"Capture12\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture12-300x39.png\")
<\/p>\n
NSIS file identification<\/strong><\/h2>\nThe start of the overlay+8 offset contains the “NullsoftInst” string:<\/p>\n
![\"Capture113\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture113-300x75.png\")
<\/p>\n
Malicious NSIS package<\/strong><\/h2>\nThe sample we analyzed has the following components inside the NSIS package.<\/p>\n
\n- e: Data file contains encrypted APIs used for process hollowing.<\/li>\n
- fsv: Data file contains the final encrypted payload.<\/li>\n
- dll: Malicious DLL decrypts data files and executes the process hollowing.<\/li>\n<\/ul>\n
The encrypted data file geanticline.e:<\/p>\n
![\"Capture1123\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture1123-300x152.png\")
<\/p>\n
The decrypted geanticline.e:<\/p>\n
![\"Capture16\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture16-300x161.png\")
<\/p>\n
The encrypted payload (tache.fsv):<\/p>\n
![\"Capture17\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture17-300x148.png\")
<\/p>\n
The decrypted payload:<\/p>\n
![\"Capture12N\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture12N-300x137.png\")
<\/p>\n
Decryption code for process hollowing APIs<\/strong><\/h2>\nCode in OpenCandy.dll decrypts both data files. The following code accesses the files:<\/p>\n
![\"Capture4\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture4-300x238.png\")
<\/p>\n
The decryption key that unlocks the data file lies in the data filename itself. The decryption logic appears in the following screen:<\/p>\n
![\"Capture1N\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture1N-300x74.png\")
<\/p>\n
An XOR operation decrypts the data file.<\/p>\n
Decryption code for payload<\/strong><\/h2>\nWe found the decryption key resides inside the DLL and varies among the malware families.<\/p>\n
Decryption key location:<\/p>\n
![\"Capture2N\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture2N-300x152.png\")
<\/p>\n
Decryption code:<\/p>\n
![\"Capture3N\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture3N-300x194.png\")
<\/p>\n
Decryption logic for process hollowing <\/strong><\/h2>\nWe employed python to write the decryption logic used by the malware. The encrypted data file path should be passed as an argument.<\/p>\n
For each malware family, the value of MAXKEYINDEX can be changed or be equal to KEYLEN.<\/p>\n
![\"Python1\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Python1-300x260.png\")
<\/p>\n
Decryption logic for payload<\/strong><\/h2>\n![\"python2\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/python2-1-288x300.png\")
<\/p>\n
<\/p>\n
MD5 hash: 5AF3BED65AEF6F0113F96FD3E8B67F7A<\/p>\n
I would like to thank my colleagues Sivagnanam G N and Manjunatha\u00a0Shankaranarayana for their help with this analysis.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not…<\/p>\n","protected":false},"author":853,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[4731],"class_list":["post-52182","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"\n
Malware Hides in Installer to Avoid Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malware Hides in Installer to Avoid Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-25T23:34:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:34:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"585\" \/>\n\t<meta property=\"og:image:height\" content=\"69\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Satish Chimakurthi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Satish Chimakurthi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"author\":{\"name\":\"Satish Chimakurthi\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\"},\"headline\":\"Malware Hides in Installer to Avoid Detection\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"wordCount\":495,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"name\":\"Malware Hides in Installer to Avoid Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"description\":\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Malware Hides in Installer to Avoid Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\",\"name\":\"Satish Chimakurthi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"caption\":\"Satish Chimakurthi\"},\"description\":\"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","og_description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-08-25T23:34:01+00:00","article_modified_time":"2025-06-03T02:34:12+00:00","og_image":[{"width":585,"height":69,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png","type":"image\/png"}],"author":"Satish Chimakurthi","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Satish Chimakurthi","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"author":{"name":"Satish Chimakurthi","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774"},"headline":"Malware Hides in Installer to Avoid Detection","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"wordCount":495,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","name":"Malware Hides in Installer to Avoid Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Malware Hides in Installer to Avoid Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774","name":"Satish Chimakurthi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb","url":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","caption":"Satish Chimakurthi"},"description":"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.","sameAs":["https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/853"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=52182"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions"}],"predecessor-version":[{"id":214937,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions\/214937"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=52182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=52182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=52182"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=52182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
The malware are distributed via spam campaigns:<\/p>\n
<\/p>\n
A ZIP archive contains the executable:<\/p>\n
<\/p>\n
NSIS file identification<\/strong><\/h2>\nThe start of the overlay+8 offset contains the “NullsoftInst” string:<\/p>\n
<\/p>\n
Malicious NSIS package<\/strong><\/h2>\nThe sample we analyzed has the following components inside the NSIS package.<\/p>\n
\n- e: Data file contains encrypted APIs used for process hollowing.<\/li>\n
- fsv: Data file contains the final encrypted payload.<\/li>\n
- dll: Malicious DLL decrypts data files and executes the process hollowing.<\/li>\n<\/ul>\n
The encrypted data file geanticline.e:<\/p>\n
<\/p>\n
The decrypted geanticline.e:<\/p>\n
<\/p>\n
The encrypted payload (tache.fsv):<\/p>\n
<\/p>\n
The decrypted payload:<\/p>\n
<\/p>\n
Decryption code for process hollowing APIs<\/strong><\/h2>\nCode in OpenCandy.dll decrypts both data files. The following code accesses the files:<\/p>\n
<\/p>\n
The decryption key that unlocks the data file lies in the data filename itself. The decryption logic appears in the following screen:<\/p>\n
<\/p>\n
An XOR operation decrypts the data file.<\/p>\n
Decryption code for payload<\/strong><\/h2>\nWe found the decryption key resides inside the DLL and varies among the malware families.<\/p>\n
Decryption key location:<\/p>\n
<\/p>\n
Decryption code:<\/p>\n
<\/p>\n
Decryption logic for process hollowing <\/strong><\/h2>\nWe employed python to write the decryption logic used by the malware. The encrypted data file path should be passed as an argument.<\/p>\n
For each malware family, the value of MAXKEYINDEX can be changed or be equal to KEYLEN.<\/p>\n
<\/p>\n
Decryption logic for payload<\/strong><\/h2>\n<\/p>\n
<\/p>\n
MD5 hash: 5AF3BED65AEF6F0113F96FD3E8B67F7A<\/p>\n
I would like to thank my colleagues Sivagnanam G N and Manjunatha\u00a0Shankaranarayana for their help with this analysis.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not…<\/p>\n","protected":false},"author":853,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[4731],"class_list":["post-52182","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"\n
Malware Hides in Installer to Avoid Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malware Hides in Installer to Avoid Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-25T23:34:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:34:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"585\" \/>\n\t<meta property=\"og:image:height\" content=\"69\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Satish Chimakurthi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Satish Chimakurthi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"author\":{\"name\":\"Satish Chimakurthi\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\"},\"headline\":\"Malware Hides in Installer to Avoid Detection\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"wordCount\":495,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"name\":\"Malware Hides in Installer to Avoid Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"description\":\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Malware Hides in Installer to Avoid Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\",\"name\":\"Satish Chimakurthi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"caption\":\"Satish Chimakurthi\"},\"description\":\"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","og_description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-08-25T23:34:01+00:00","article_modified_time":"2025-06-03T02:34:12+00:00","og_image":[{"width":585,"height":69,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png","type":"image\/png"}],"author":"Satish Chimakurthi","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Satish Chimakurthi","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"author":{"name":"Satish Chimakurthi","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774"},"headline":"Malware Hides in Installer to Avoid Detection","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"wordCount":495,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","name":"Malware Hides in Installer to Avoid Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Malware Hides in Installer to Avoid Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774","name":"Satish Chimakurthi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb","url":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","caption":"Satish Chimakurthi"},"description":"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.","sameAs":["https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/853"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=52182"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions"}],"predecessor-version":[{"id":214937,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions\/214937"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=52182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=52182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=52182"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=52182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/p>\nThe sample we analyzed has the following components inside the NSIS package.<\/p>\n
- \n
- e: Data file contains encrypted APIs used for process hollowing.<\/li>\n
- fsv: Data file contains the final encrypted payload.<\/li>\n
- dll: Malicious DLL decrypts data files and executes the process hollowing.<\/li>\n<\/ul>\n
The encrypted data file geanticline.e:<\/p>\n
<\/p>\nThe decrypted geanticline.e:<\/p>\n
<\/p>\nThe encrypted payload (tache.fsv):<\/p>\n
<\/p>\nThe decrypted payload:<\/p>\n
<\/p>\nDecryption code for process hollowing APIs<\/strong><\/h2>\n
Code in OpenCandy.dll decrypts both data files. The following code accesses the files:<\/p>\n
<\/p>\nThe decryption key that unlocks the data file lies in the data filename itself. The decryption logic appears in the following screen:<\/p>\n
<\/p>\nAn XOR operation decrypts the data file.<\/p>\n
Decryption code for payload<\/strong><\/h2>\n
We found the decryption key resides inside the DLL and varies among the malware families.<\/p>\n
Decryption key location:<\/p>\n
<\/p>\nDecryption code:<\/p>\n
<\/p>\nDecryption logic for process hollowing <\/strong><\/h2>\n
We employed python to write the decryption logic used by the malware. The encrypted data file path should be passed as an argument.<\/p>\n
For each malware family, the value of MAXKEYINDEX can be changed or be equal to KEYLEN.<\/p>\n
<\/p>\nDecryption logic for payload<\/strong><\/h2>\n
<\/p>\n<\/p>\n
MD5 hash: 5AF3BED65AEF6F0113F96FD3E8B67F7A<\/p>\n
I would like to thank my colleagues Sivagnanam G N and Manjunatha\u00a0Shankaranarayana for their help with this analysis.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not…<\/p>\n","protected":false},"author":853,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[4731],"class_list":["post-52182","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"\n
Malware Hides in Installer to Avoid Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malware Hides in Installer to Avoid Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-25T23:34:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:34:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"585\" \/>\n\t<meta property=\"og:image:height\" content=\"69\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Satish Chimakurthi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Satish Chimakurthi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"author\":{\"name\":\"Satish Chimakurthi\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\"},\"headline\":\"Malware Hides in Installer to Avoid Detection\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"},\"wordCount\":495,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\",\"name\":\"Malware Hides in Installer to Avoid Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"datePublished\":\"2016-08-25T23:34:01+00:00\",\"dateModified\":\"2025-06-03T02:34:12+00:00\",\"description\":\"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Malware Hides in Installer to Avoid Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774\",\"name\":\"Satish Chimakurthi\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g\",\"caption\":\"Satish Chimakurthi\"},\"description\":\"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Malware Hides in Installer to Avoid Detection | McAfee Blog","og_description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-08-25T23:34:01+00:00","article_modified_time":"2025-06-03T02:34:12+00:00","og_image":[{"width":585,"height":69,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Capture-1.png","type":"image\/png"}],"author":"Satish Chimakurthi","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Satish Chimakurthi","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"author":{"name":"Satish Chimakurthi","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774"},"headline":"Malware Hides in Installer to Avoid Detection","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"},"wordCount":495,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/","name":"Malware Hides in Installer to Avoid Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","datePublished":"2016-08-25T23:34:01+00:00","dateModified":"2025-06-03T02:34:12+00:00","description":"At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture-1-300x35.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/malware-hides-in-installer-to-avoid-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Malware Hides in Installer to Avoid Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/87b30a675b89da5043ae45c9ebb88774","name":"Satish Chimakurthi","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/e404208c4ad315b041784257781e4afb","url":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/028feea6f4224158e83b969434d51f10?s=96&d=mm&r=g","caption":"Satish Chimakurthi"},"description":"Satish Chimakurthi is a Security Researcher at McAfee Labs. He enthusiastically pursues malware analysis and reverse engineering. Chimakurthi's hobbies include listening to music and playing volleyball.","sameAs":["https:\/\/www.linkedin.com\/in\/satish-chimakurthi-28353245\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/satish-chimakurthi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/853"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=52182"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions"}],"predecessor-version":[{"id":214937,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52182\/revisions\/214937"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=52182"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=52182"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=52182"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=52182"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}