Static Unpacking For The Widespread NSIS-Based Malicious Packer Family

Packers or crypters are widely used to protect malicious software from detection and static analysis. These auxiliary tools, through the use of compression and encryption algorithms, enable cybercriminals to prepare unique samples of malicious software for each campaign or even per victim, which complicates the work of antivirus software.

In the case of certain packers, classifying malicious software without employing dynamic analysis becomes a challenging task. To analyze a malicious sample and extract its configuration data, such as encryption keys and command and control server addresses, we must first unpack it. We can do this by running the malicious software in a sandbox environment, such as CAPE, followed by extracting the memory dumps. However, this method has some drawbacks.

Read more…
Source: Check Point

Sign up for our Newsletter


  • North Korean hackers are targeting Apple Mac devices with updated malware

    July 19, 2024

    North Korean state-sponsored threat actors are once again setting up fake job interviews in a bid to infect unsuspecting victims with infostealing malware – but this time around, they are focusing on Apple users. Cybersecurity researcher Patrick Wardle recently discovered a new variant of BeaverTail, a known infostealer capable of grabbing sensitive information from web browsers ...

  • APT41 Has Arisen From the DUST

    July 18, 2024

    Recently, Mandiant became aware of an APT41 intrusion where the malicious actor deployed a combination of ANTSWORD and BLUEBEAM web shells for persistence. These web shells were identified on a Tomcat Apache Manager server and active since at least 2023. APT41 utilized these web shells to execute certutil.exe to download the DUSTPAN dropper to stealthily load ...

  • New Bugsleep Backdoor Deployed In Recent Muddywater Campaigns

    July 15, 2024

    MuddyWater, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), is known to be active since at least 2017. During the last year, MuddyWater engaged in widespread phishing campaigns targeting the Middle East, with a particular focus on Israel. Since October 2023, the actors’ activities have increased significantly. Their methods remain consistent, ...

  • UNC3944 Targets SaaS Applications

    July 13, 2024

    UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider” and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement ...

  • Reeling in DarkGate Malware Attacks from the Beach

    July 10, 2024

    Last year, the number of malware attacks worldwide reached 6.08 billion. That’s a 10% increase compared with 2022. Why are cybercriminals developing so much malware? Because it is a vital tool to help them infiltrate businesses, networks or specific computers to steal or destroy sensitive data. or destroy sensitive data. There are many types of malware ...

  • Exploring Compiled V8 Javascript Usage In Malware

    July 8, 2024

    In recent months, CPR has been investigating the usage of compiled V8 JavaScript by malware authors. Compiled V8 JavaScript is a lesser-known feature in V8, Google’s JavaScript engine, that enables the compilation of JavaScript into low-level bytecode. This technique assists attackers in evading static detections and hiding their original source code, rendering it almost impossible to ...