It allows to call 64-bit code from a 32-bit process. The ransomware is also using a technique called “Heaven’s Gate” for two main reasons. The fact that everything happens in the memory, makes it even harder to detect. Thus, hiding its content from security vendors. This enables the attackers to allocate executable memory, and execute a code stub which in turn, decrypts the actual payload of the ransomware. One of the techniques used with NSIS, is the usage of the “System” plugin, which allows the NSIS installer to call Win32API. Two of the most known ransomware were currently observed using this technique: Locky and Cerber, both in their new versions. Lately, we’ve noticed a highly complicated one, which uses many layers of evasion techniques, starting from wrapping internal parts with an NSIS installer, XOR encryption, code injection and even usage of Heaven’s Gate technique. Over the past few years, we have seen various ways for executing malicious code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |