Malware Is Changing Daily! Are You Still Protected?

A look at recent malware techniques

One of the biggest challenges in detecting and protecting against malware is that attackers continually change their techniques and behaviours. We have observed some interesting activities recently that are worth discussing in more detail.

Office macro security bypass 

Traditionally, when malware is embedded into Microsoft Office documents, it will require the user to activate macros.  In essence, if a computer user inadvertently opens a malicious document, the warning message to enable macros can be a red warning flag to users to instantly close the document. However, recently analysed malware embedded within Microsoft Office documents has adapted its technique.

Once the document is open, the user is presented with a blank page asking them to click on the button to download the content of the page. Once the user clicks on the button, they are then presented with another message box asking them to open the document which will then run the macro.

Figure 1 - Malware bypassing macro activation

Figure 1 – Malware bypassing macro activation

Further curiosity on the button “Display the content of the document” reveals that the author has embedded an object that can be accessed without the macro being enabled. In this case, the object was a visual basic (vb) script.

The analysis of this script revealed some interesting tricks used to bypass windows default security settings within PowerShell. The script uses a PowerShell ExecutionPolicy bypass. This will be explained in the next section.

Figure 2 - Office document with a vbs script as embedded object - the user does not need to enable macro

Figure 2 – Office document with a vbs script as embedded object – the user does not need to enable macro

PowerShell ExecutionPolicy bypass – no profile 

There is no doubt that the number of people who know about PowerShell is very limited within the end user community. Unless you are into some computer administration or scripting programming language or hacking/penetration testing, you are most likely not to be aware of PowerShell. Powershell is however installed in all recent versions of Microsoft Operating Systems by default.

Windows PowerShell extends the command line in new and exciting ways. It opens access to some of the operating system functions in ways that were previously possible only with extensive programming. For example, you can not only get the name of a particular user, but also retrieve the entire related user object. You can then manipulate the properties of this user object by referring to the properties you want to work with by name.

Windows PowerShell also has a non-interactive processing mode, which is used when executing a series of commands. In non-interactive processing mode, PowerShell reads and executes commands one by one but doesn’t present a prompt to the user. This aspect is what the malware is making use of in this case.  Using the non-interactive mode, the commands are executed without the knowledge of the user. In this scenario, the malware is bypassing the execution policy.

The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run. However, using the “– Bypass”, nothing is blocked and there are no warnings or prompts. This feature was not however intended to block malware – sadly.

An effective way to reduce the risk of being compromised by malware such as this is to whitelist the applications that are allowed to run on a computer system. It is however true that the malicious user could have achieved their objective by using other methods. Hence, the targeted system will be better protected if the user does not download from untrusted sources or open unknown/unexpected documents from which the sender cannot be verified.

The figure below shows the vb script that was downloaded from the office document. As per the reference in the image, line 2 contains the instruction that will execute the malicious command. Line 2 was disabled and line 3 was created to display the malicious command instead.

Figure 3 - malware exploiting Microsoft Powershell

Figure 3 – malware exploiting Microsoft Powershell

Malware using a known port to hide their traffic: really? 

Protecting against malware that uses port 80 is generally difficult. However, it is possible to control what applications run on a certain port number. For instance, we have an instance of the Dradix malware running on port 8443.

Even though port 8443 is an official alternative of port 443, it would be easy to narrow down what applications use that port.  The ‘netstat’ command when executed as a privilege user can reveal if the port is open and which applications (process id) are currently connecting to that port.

Figure 4 - Quick command to determine which port is open and list connected applications

Figure 4 – Quick command to determine which port is open and list connected applications

The example below show Dradix malware configured to use port 8443.

Figure 5 - Extract from Dradix malware sample showing port 8443

Figure 5 – Extract from Dradix malware sample showing port 8443

Whitelisting the applications that are allowed to use certain ports could help in identifying malicious traffic.

Fake voicemail: double extension

On a different note, another strand of malware has been recently observed that is using an old trick. The malware will disguise itself as a voicemail.  The trick used here is the double extension. The malware appears to be a .wav but in fact it’s a .wav.exe

It is very common to have a voicemail. Also, by curiosity, it would be very easy to think “what’s the worst that can happen if I listen to this message”.

Figure 6 - Malware sample using double extension - fake voicemail

Figure 6 – Malware sample using double extension – fake voicemail

As seen in the above image, the file will look like a voicemail (audio file) but it’s not an audio file. As seen in the red box, the pretended voicemail is in fact an application.  The Golden rule remains valid: Do not trust unknown attachments or links. If you do not expect an attachment, contact the sender when appropriate. If it’s obvious that it’s malware, the best option would be to delete the fake voicemail.  In any doubt, it would better to delete the file. Like the saying goes, if it is important, they will call back.

The same technique could be used to target WhatsApp, Viber, Skype and any other social messenger that allows voice communications. For instance, people can be targeted with an email suggesting that they have received a voicemail from their friend in WhatsApp, Viber or Skype just to name a few. Fake voicemail is a really good technique that can be used during big events such as the elections (just around the corner in the UK at the time of writing!). Users can be tricked into listening to voicemail or a recording of secret conversations from politicians!

It is not, however, uncommon to have telephone services, especially voice over IP telephone services, which offer voicemail by email. Before trying to listen to a message that in fact does not exist, it is very important to verify the origin of the voicemail.


Malware is continually evolving. 24/7 effective monitoring is key in protecting from malware. This can be achieved with our Threat2Alert service Nettitude can also provide expert research and deep dive investigations into malicious activity within your organisation.

It is also important to have an incident response procedure in place.  Effective security needs to be reviewed and updated based on the threat information available. Having knowledge of the current threats, malware behaviours and techniques will help determine the best security strategy to implement.



To contact Nettitude’s editor, please email


Loading A Weaponised Interactive PowerShell Session With Metasploit

PowerShell is rapidly becoming the go to post exploitation method for hackers, with a plethora of awesome PowerShell tools such as PowerSploit, PowerUp, PowerView and Nishang, to name a few. The standard PowerShell environment can be quickly extended into a hacker’s delight.

These ‘tools’ are written entirely in PowerShell and do not touch disk (largely) – therefore they are anti-virus (AV) friendly and do not involve risky process injections. However, it has not all been plain sailing – achieving a remote interactive PowerShell session (without the use of PSRemoteing or WinRM) has often been an inconvenience. As security professionals, here at Nettitude we are keen to solve this issue. At present, Metasploit offers some post PowerShell modules to execute scripts or standalone tools, but there is nothing like having an interactive shell.

Enter the new Interactive PowerShell payloads for Metasploit written by Nettitude consultants, Ben Turner (@benpturner) and Dave Hardy (@davehardy20).

These payloads offer the ability to have an interactive PowerShell session on an already compromised host, via the windows/local/payload_inject module (see Figure 1).

Figure 1 - Reverse session using new Interactive Powershell payload

Figure 1 – Reverse session using new Interactive Powershell payload

Alternatively, you can use the new payloads as a replacement for the normal Metasploit payloads, such as windows/meterpreter/reverse_tcp when using PSEXEC for example (See Figure 2).

Figure 2 - Executing powershell_bind_tcp through PSEXEC.

Figure 2 – Executing powershell_bind_tcp through PSEXEC.

The payloads provide not just an interactive PowerShell session, but can be remotely ‘weaponised’ with the modules of your choosing (i.e. PowerSploit, PowerTools). Just set the LOAD_MODULES option within the payload with a comma-separated string of a web server or local network location where the modules are hosted – handy if you don’t have Internet access.

For example, if you are lucky enough to have Internet access from your target, you can use the GitHub repositories directly like so:

Set LOAD_MODULES,–Shellcode.ps1,………..

Figure 3 - Fully weaponised PowerShell session

Figure 3 – Fully weaponised PowerShell session

As you can see in Figure 3, we now have an interactive PowerShell session in Metasploit and the console reports that it has loaded ten modules.

In total, there are actually four new Interactive PowerShell payloads, two that work for the processes above and two more that will work with msfvenom, or the generate option within msfconsole, which create standalone bind and reverse payloads that can be uploaded and executed separately (see Figure 4).

Figure 4 - Generating a powerShell_reverse_tcp payload

Figure 4 – Generating a powerShell_reverse_tcp payload

But we know the burning question is…’does mimikatz work this way?’…Well, yes it does. As with all things mimikatz you need to get hold of some SYSTEM privs somehow (but it’s Windows, so no dramas there). Then run the excellent PowerSploit ‘invoke-mimikatz’ commandlet in your newly weaponsied PowerShell session and BOOM! (Kudos to @JosephBialek, @gentilkiwi and @mattifestation for making this module a reality!)

Figure 5 - Mimikatz over PowerShell interactive Metasploit session

Figure 5 – Mimikatz over PowerShell interactive Metasploit session

The rest really is up to you!

“So where do I get this awesomeness?”
The PowerShell payloads are in the main Metasploit tree, so all you need to do is get the latest and greatest Metasploit Framework git version including commit –

Or if you are looking for the standalone scripts they are available here –

Happy hunting.


Looking for something a bit more local or don’t have Metasploit? Read on!

As an extra to the Metasploit payloads and also to give some background to the work behind the module, we are publishing the initial scripts that were developed to ‘weaponise’ a standard windows PowerShell session. The PowerShell scripts were first used as Proof of Concept and early Metasploit modules.

These are essentially just loops that read the remote GitHub repository of PowerSploit, PowerView and PowerUp and use the PowerShell ‘download cradle’ method or ‘local’ web server version to retrieve the PowerShell modules (useful when there is no Internet access).

The scripts are as follows;

  • In-memory-downloader.ps1 – downloads and installs the modules into memory, no AV stress
  • Local-in-memory-downloader.ps1 – the local network version of the above, although this requires a local web server
  • Powersploit-downloader.ps1 – this script and the corresponding Powertools-downloader.ps1 download to disk and installs the modules. These are for systems with no Anti-Virus (which doesn’t detect the modules). Another reason for this method is that some of these tools will not run fully just in memory.

The scripts themselves are easy to use just copy and paste the download cradle command into an active PowerShell session (see Figure 6) on which the ‘in-memory-downloader.ps1’ script has been run.

Figure 6 - Executing in-memory-downloader.ps1

Figure 6 – Executing in-memory-downloader.ps1

Future Development

We will look to include SSL support for the payloads and hopefully create additional POST modules that work with the new Metasploit PowerShell session. Currently, we have not developed any at this time, as the integration of these modules was reliant on the new session type being integrated into Metasploit. As this has now been completed and approved in the core Metasploit framework we can start development for these modules.



To contact Nettitude’s editor, please email


QNAP NAS – Remote Unauthenticated User to Admin Shell: Part 2


A number of security vulnerabilities have been identified in two applications hosted on the QNAP App Center. When combined it is possible for a remote unauthenticated user to gain interactive remote administrative access and take full control of the device.


In the previous blog post, it was shown that the Logitech Media Server (7.7.2) App suffers from Shellshock. The situation is further aggravated by the developer’s decision not to implement the chroot configuration option.  However, the account that the application runs under and thus the Bash commands are executed under, does not have root/administrative permissions.

The ultimate objective of exploit development is to gain a root/administrative remote shell, thus leaving no room for debate on the seriousness of the issue. The system has been completely exploited and is under the full control of the attacker. End of story, no debate. With this in mind, I began to examine the system to identify a means to execute a reverse-shell and gain privileged credentials.

Vulnerability 1 – Weak Folder Permissions iStat 0.5.7

The iStat application is used to monitor system resource utilisation. The user is free to decide what is monitored and to what level. The data is displayed via a web interface that is hosted on the device’s main web server. It is accessed via http://<ip_address>/istat/login.php.

A traditional or bind shell instructs a machine to open a command shell, present it on a port and wait for inbound connections. Thus granting a user or for that matter an attacker, interactive access. However, with the widespread adoption of firewalls their effectiveness has become somewhat limited, as inbound connections are highly controlled. In contrast, a reverse shell rather than waiting for an incoming connection, actively connects back to a machine. As firewalls are typically much more permissive of outbound connections, reverse shells have become dominant.

A bind or reverse shell can be written in pretty much any language. If coded in a language that can be executed by a web-server (e.g. ASP, ASP.NET, PHP, etc.) and providing that an attacker can write to a suitable location, the shell will be spawned and access granted. By recursively searching the file-system we can see that iStat has weak folder permissions. Everyone, including the ssods/Logitech Media Server account has the ability to read/write/execute (see Figure 1).

Figure 1 – Everyone RWX directory served by Apache


This folder is served by the application’s web server and will thus execute a suitably coded reverse-shell.

Vulnerability 2 – Web Server Runs With Administrative Permissions

iStat is hosted on an Apache instance. It runs under an account called httpdusr, which is a member of the Administrators group. Thus when a reverse-shell is executed, it grants the attacker administrative access to the device (see Figure 2).

Vulnerability 2 – Web Server Runs With Administrative Permissions


iStat 0.5.7 hosted on the QNAP App Center suffers from several security issues. They do not grant remote unauthenticated access. However, once an attacker gains limited access they can be leveraged to obtain administrative privileges. The sixteen thousand customers who have downloaded it should uninstall it immediately.

In conclusion, this two-part blog illustrates a pattern we see in many contemporary attacks. Multiple vulnerabilities, mistakes, and weaknesses chained together to achieve full exploitation (see Figure 3). If any one of them is missing an attacker fails to get administrative access. If the chain can be formed its game over and the attacker wins.

Figure 3 - kill chain

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.


  • Logitech Media Center Shellshock vulnerability discovery on 08/02/2015
  • QNAP informed via website on 11/02/2015
  • SSOTS/SSODS author contacted 12/02/2015. No response to date
  • Reported to on 12/02/2015
  • Confirmed against latest firmware and ARM plus x86 devices on 16/02/2015
  • Local privilege elevation discovery on 22/02/2015
  • QNAP contacted via on 05/03/2015
  • Proof of concept completed on 06/03/2015
  • Contacted by QNAP Security. Research forwarded and disclosure date agreed on 07/03/2015
  • Vulnerability disclosed on 06/04/2015




To contact Nettitude’s editor, please email

Verizon Data Breach Report 2015

Verizon Data Breach Report 2015A high level summary of the main findings from the cyber security industry’s favourite data driven report. As usual, the report is an easy read packed with analysis and information that is appetising and relevant.

The key concerns centre on the age old favourite threat scenarios of patch management and phishing attacks.

An attempt to elevate mobile applications to significance within the report left the pages with two truths – Android is much worse than any other platform (now that’s hard to have guessed!), and the reality that the majority of all malicious apps have a very short life span (4 out of 5 not lasting beyond a week!).

The Internet of Things (IoT) leaves a small read too (housed in one of the appendixes) because when the proof of concepts and media hype is removed, little real world data breach data is available. The growth in these devices is increasing though – so keep watching this space as we see their use and prevalence within our digital world spiral up.

We include at the end of this article a summary of the main statistics if you’re after the headlines.

But back to patching and phishing – What’s the news?

Sticking Plasters or Stinking Patches?

The much anticipated annual Verizon Data Breach Report has been released with compelling warnings about the perils of leaving your systems unpatched. The same day also sees the most common vendors release a barrage of fixes for their applications and platforms.

If you run software from Microsoft, Adobe or Oracle then you have critical patches to be applied! In total that’s 22 for Adobe Flash Player, 11 update bundles from Microsoft addressing over 24 bugs and a sleuth of Java updates (15) all of which are exploitable remotely (See Brian Krebs for full details! –

Staggeringly, Verizon tells us that 10 separate CVEs account for almost 97% of the exploits observed in 2014. Before you relax and think all your patching problems are wound up in 10 simple patches, the remianing 3% delivers over 7 millions observed exploits against different vulnerabilities – oh yes, patching is STILL a major issue for many organisations!

99.9% of the exploited vulnerabilities were compromised over a year after they were published. A significant number of vulnerabilities being exploited are spread out over the last ten years, showing that for many attackers, older vulnerabilities are still relevant today!

Plenty of Phish are still in the sea

The finest hour for phishing is that first hour when 50% of all phishing emails are triggered. The median time-to-first-click based on a sample of 150,000 monitoring phishing tests showed this to be at 1 minute and 22 seconds. The realisation that our email and internet systems still give us one serious attack surface is highlighted with vivid effect.

Why is it called phishing?The stark reality of this report shows that phishing emails are a major factor in most organisations. Our email systems are by design set-up to allow a broad range of inbound communications to enter our business. As much as we try to control this the ability for malicious users to construct targeted, custom, believable messages based on our public profiles and digital footprints is not going to change.

As generic SPAM does get filtered the trojan horse deliveries will continue to be hidden in the legitimate traffic. Education still has a long way to go, but a more fundamental acceptance that any internet connected or email based network inherently holds a higher risk needs to be much better understood. We have to wake up to the fact that even the best and most informed users will have moments of weakness and if presented with a credible, believable email from a known source – may action the unwanted actions we are trying to stop.

Waking up to the risk

The approach needs to change so that we treat email and internet usage as an area of higher risk and protect the real assets of value within our businesses from these systems. Rather than see our internet connection itself as the place for defences, it needs to be constructed around our assets of high value within an internal secure enclave.
Nightingale floorThe Japanese did this with their Nightingale floor that was designed to shift and move and make sounds when people walked over them. Nails and clamps in the floor ensured the board squeeked giving out a sounds like the Nightingale bird (hence the name).Structure of Uguisu-bari

This gave the occupants of the building time to respond to approaching attackers even after they were inside their castle moats.
The speed at which organisations need to respond will only get shorter as the attackers know how our ability to respond is getting better. This is always an arms race and we need to be adapting and thinking of the bigger picture.

  • What is it that we are protecting and from whom?
  • What risks need to be better controlled?
  • How can we protect those assets from these risks?

Expecting phishing attacks to work means that we will then look for and hunt for the actions within our networks that demonstrate an attacker is in there and sniffing around.

If we can’t stop them getting in, let’s make sure we can detect and respond effectively when they do – and ensure anything of value is not there waiting for them.

Summary of Stats

If you’re simply after a summary of insightful stats to impress the folks in the office, your parents or mates down the pub with then here is the roundup of the best:

  • Threat Intelligence should focus on the well not the firehose – in other words quality is far better than quantity
  • For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing
  • Nearly 50% of users open e-mails and click on phishing links within the first hour
  • 23% of recipients now opening phishing messages and 11% clicking on attachments
  • About half of the CVEs exploited in 2014 went from publish to pwn in less than a month
  • A CVE being added to metasploit or given a cool name was as good an indicator as any that a vulnerability would be having a big impact
  • An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network — were infected with “higher-grade” malicious code
  • 4 out of 5 mobile malicious apps didn’t last beyond a week with 96% of malicious mobile malware aimed at Android
  • Malware is the big news of the day – 70-90% of malware samples are unique to an organisation
  • However, 70% of all malware is derived from around 20 key families



To contact Nettitude’s editor, please email