The previous story described an unusual way of distributing malware under disguise of an update for an expired security certificate. After the story went out, we conducted a detailed analysis of the samples we had obtained, with some interesting findings. All of the malware we examined from the campaign was packed with the same packer, which we named Trojan-Dropper.NSIS.Loncom. The malware uses legitimate NSIS software for packing and loading shellcode, and Microsoft Crypto API for decrypting the final payload. Just as the earlier find, this one was not without its surprises, as one of the packaged samples contained software used by APT groups.
Primary analysis
Loncom utilizes NSIS for running shellcode contained in a file with a name that consists of numbers. In our example, the file is named 485101134:
Overview of the NSIS archive contents
Once the shellcode is unpacked to the hard disk and loaded into the memory, an NSIS script calculates the starting position and proceeds to the next stage.
What the shellcode does
Before proceeding to decrypt the payload, the shellcode starts decrypting itself piece by piece, using the following algorithm:
Find position for next 0xDEADBEEF dword.
Read dword: size of data to decrypt.
Read dword: first part of key.
Read dword: second part of key.
Find suitable key: check the numbers consequently, starting at 0, while xor(i, second part of key) != first part of key. This part is needed to hold up execution and prevent AV detection. After simplification, key = i = xor(first part, second part).
Decrypt next part ..
Support the originator by clicking the read the rest link below.
