New Threat Advisory Report: Nettitude finds malicious content embedded in image files

Nettitude’s security researchers are always on the lookout for attack trends and changes in the cyber threat landscape. Our team has recently found malicious content embedded in Graphics Interchange Format (GIF) image files, which when uploaded to a vulnerable server, can result in the complete or partial compromise of the host. The vulnerabilities targeted by this exploit can be found either entirely within a poorly coded web application or in a poorly configured hosting environment.

In a typical instance, a malicious file could be uploaded to a site by an attacker who has selected the image as their profile picture. Alternatively, users may have uploaded attachments to other content, such as photographic evidence on insurance forms, for instance.

Nettitude’s new Threat Advisory Report details how a host could be successfully compromised, with advice for organisations on how to mitigate the threat from this form of attack.

The full report is available to download here: Request the Threat Advisory Report 

Contact Nettitude’s editor for further information by emailing

Nettitude’s new Cyber Threat Intelligence report reveals increase in targeted phishing emails

With the recent TalkTalk hack just the latest in a long line of high-profile data breaches that have taken place in recent years, our security researchers monitor changes in the global cyber threat landscape on an ongoing basis. Today, we have released a report into the activity that our research team has observed from our Cyber Threat Intelligence (CTI) systems during September 2015.

This new report details our examination of a global network – in which 82 percent of brute force attacks we observed originated in Hong Kong – and a number of attack trends. For instance, phishing attacks show no sign of abating, with our research revealing a notable increase in highly advanced and targeted phishing emails, particularly aimed at financial organisations.

We found the US to be the most heavily plagued by phishing attacks, while the UK was the sixth most targeted nation during this period.

Our researchers also noted that attackers typically look to exploit organisations’ Content Management System (CMS) administrator pages that are exposed to the internet, in order to launch attacks via their victims’ domains.

The full report is available to download here: Request the CTI Report 

Contact Nettitude’s editor for further information by emailing

Technical Analysis of ELF/Spylock.A Malware for GNU/Linux


Nettitude recently obtained a sample of some malware intended to run on GNU/Linux-based servers, with the purpose of turning its host into a cut-out for anonymous forwarding of messages between other machines. We have seen no evidence of it causing direct harm to the machine on which it runs (beyond the unauthorised use of some network bandwidth). However the harm to others could be considerable, and there are practical, ethical and reputational reasons why server administrators should seek to avoid their machines being abused in this way.

The file that we examined has a filename of ‘dl20spy_0aP’, a length of 15321 bytes, and an md5sum of 491196F3B83DDF07FA5DFBD8DAAF3871. It appears to be unknown to most current anti-virus products, but is identified by CYREN and F-PROT as ‘ELF/SpyLock.A’.

The code was compiled using GCC for the x86-64 processor architecture, and is dynamically-linked against five shared libraries (libc, libsrdc++, libm, libpthread and libgcc_s). Compatible versions of these libraries must be present on the host system for the malware to run, however these are very common libraries which change rarely. We would expect the code to run on almost all extant x86-64 GNU/Linux-based systems.

The program does not appear to contain any mechanism for propagating or persisting itself, nor has it any benign functionality for disguising its true purpose. It is not therefore a virus, worm or trojan, and would be of little use to an attacker without some separate means for injecting it into the target system – for example, by exploiting a vulnerability in a website.

When, by whatever means, the program is executed, it opens two TCP ports for listening: 6661 and 6662. These are within the range that is reserved for ‘registered ports’ (1024 to 49151). Officially they are unassigned, but unofficially they are often used by Internet Relay Chat (IRC) servers. The program does not need to run as root to make use of these ports – any user will suffice. This is convenient if running it in the context of a web server because no privilege escalation is needed.

As it happens, IRC was historically a favourite protocol for controlling botnets, because traffic routed via third-party IRC servers is difficult to trace. Security-conscious network administrators consequently tend to be quite suspicious of unexplained traffic on IRC-related ports. This particular piece of malware does not however appear to make any use the IRC protocol or infrastructure, so there is no obvious reason why it would need to use these particular port numbers. That makes them a slightly odd choice for someone trying to keep a low profile.

The explanation appears to be that the author has no interest in keeping a low profile. Connect to port 6662 and the program helpfully logs to stdout that it has ‘Got connection from victim’. Not subtle, and in fact there are seven instances of the word ‘victim’ in plain view within the executable. There is no attempt at obfuscation, or preventing the use of virtual machines or debuggers.

After such refreshing openness it was disappointing to learn that the party connected to port 6661 is referred to merely as the ‘client’, but this is presumably the port that would be used by the attacker. This is not to say that the attacker would necessarily connect directly – there may be additional layers of indirection – or that we should always believe log messages printed by malicious software.

It is interesting that both ports listen for connections rather than dialling out:

Nettitude - ELF SpyLock

On the victim side this has the benefit of allowing for NAT, and supporting multiple victims without knowing their IP addresses in advance. On the client side it avoids leaving any evidence in the executable that would allow the attacker to be traced, and allows the attacker to move to a different IP address if need be. That would be useful if making connections from another hijacked host which the attacker might lose control of.

The message format is straightforward: a 32-bit little-endian length field, which specifies the number of bytes in the payload, followed by that payload. For example, if the payload was a 7-byte ASCII string containing the word ‘example’ then the resulting message would be:

Nettitude - Elf SpyLock

Messages are forwarded verbatim from client to victim and from victim to client, but not immediately. Instead they are queued, with one message sent to each destination in exchange for each message received from that destination. If there is nothing to be sent then this is represented by a message with an empty payload. We were able to verify these findings by writing a test program which sends messages back and forth using the malware as a cut-out.

The circumstances under which we obtained this malware did not allow us to observe any control traffic. Furthermore, since the malware does not appear to process the message payloads in any way, there is nothing in the executable that can be analysed to learn more about the nature of the traffic. However, the combination of the two open ports and the message format described above should be sufficient to act as a reasonably specific indicator of compromise.

Potential uses for the malware include control of ransomware, spyware, botnet members, or any other activity where there is a need for anonymised communication with a victim of some sort. If you find one of your machines running it then you can be thankful that you are (probably) not the victim yourself, but you will the first port of call for anyone attempting to trace the perpetrator.


An experienced investigator ought to know that this type of redirection is very common, however it is not far-fetched to imagine that you might have your connection cut off by your ISP, or come under investigation by law enforcement, or be publically accused of negligence for allowing your servers to be abused in this way. Also remember that next time the target could be you, so spare a thought for others by not letting your computer be commandeered in this way.

To contact Nettitude’s editor, please email

Pony malware two years later


Two years after first gaining notoriety, the Pony Botnet remains very active. The malware is primarily targeted at the theft of user credentials from applications such as web browsers and email applications, for example, Outlook.  Pony is also capable of stealing a victim’s bitcoin wallet.

A typical attack is executed through the use of a phishing e-mail containing a malicious attachment.

One of the most worrying aspects of Pony is that the source code is fully available online and is free to download, so anyone with the correct level of knowledge and motivation could potentially set up a botnet.

I recently investigated a malware sample that turned out to be Pony malware. Below is a brief summary of the analysis.


The malicious binary came in the form of a heavily obfuscated .NET binary and was named so that it appeared as a spreadsheet – presumably to trick the victim into opening it – however, the attackers had not bothered to replace the application icon with that of an Excel spreadsheet, so this ruse would not fool everyone.

Figure 1Malicious binary as it appears in Windows Explorer

Figure 1 Malicious binary as it appears in Windows Explorer

MD5:  87fc4d453ca983a6a1b2fe92d3bf4a71

SHA-1: b4dbd3de13b492aa12f3030bcd04be2d717945a0

Analysis in Cuckoo sandbox didn’t provide any insight into the purpose of the executable, so I spent some time investigating the malware.

Using a .NET decompiler showed that the binary had been heavily obfuscated.  This is clear as all of the class names have been replaced with single characters and the code consists of many switch statements and magic numbers.

Figure 2 Obfuscated C# code.

Figure 2 Obfuscated C# code.


There was clearly no point in spending time trying to analyse this code, so I took the path of least resistance, which was to use Rohitab API Monitor[1].

The malware launches a child process “RegAsm.exe”.  RegAsm is a non-malicious .NET executable that is provided by Microsoft as part of the .NET framework, so it is present on most modern computers running Windows.  Usually RegAsm is used for registering .NET assemblies, however, the malware uses this executable as the host for malicious code, which is injected into the RegAsm.

Firstly, it creates the RegAsm process with all of its threads suspended; this is achieved by using the “CREATE_SUSPENDED” flag for CreateProcess.   API monitor allows us to capture this activity:

Once the RegAsm process has been created, the malware decodes an obfuscated binary payload, contained within its .NET resources and ten proceeds to inject this into the newly created “RegAsm.exe” process by using WriteProcessMemory.

Figure 3 CREATE_SUSPENDED flag shown in the CreateProcess call

Figure 3 CREATE_SUSPENDED flag shown in the CreateProcess call

Figure 4 Malicious code written into memory locations in RegAsm

Figure 4 Malicious code written into memory locations in RegAsm

The malware is mapped into RegAsm at a base address of 0x00400000 and the thread context of RegAsm’s main thread is then modified by the malware in order to begin execution at the malicious code entry point.

This effectively turns RegAsm into an empty shell, within which the malicious code is transplanted, transforming a benign executable into a malicious one.  The malware then resumes execution of RegAsm in order to start payload.

If we examine the RegAsm process with Process Hacker[2] we can see virtual memory at 0x00400000 with read, write and execute permissions.  Memory with read, write and execute permissions is suspicious in its self as it commonly indicates injected code inside a process.

Figure 5 RWX memory inRegAsm showing malicous code location

Figure 5 RWX memory inRegAsm showing malicous code location

Using Process Hacker, the malicious executable code was then carved from the RegAsm memory and investigated further.

The following strings were found in the executable:

Figure 6 Strings found in the executable indicating Pony

Figure 6 Strings found in the executable indicating Pony

These are an indicative fingerprint of the Pony Botnet[3] client which reached notoriety in July and December 2013.

Further analysis of the binary confirms this to be Pony, which is used by cyber criminals to steal credentials for a number of popular applications, including Bitcoin wallets.

The following software credentials can be stolen by Pony running on the victim’s computer:

FAR Manager, Total Commander, WS_FTP, CuteFTP, FlashFXP, FileZilla, FTP Commander, BulletProof FTP, SmartFTP, TurboFTP, FFFTP, CoffeeCup FTP / Sitemapper, CoreFTP, FTP Explorer, Frigate3 FTP, SecureFX, UltraFXP, FTPRush, WebSitePublisher, BitKinex, ExpanDrive, ClassicFTP, Fling, SoftX, Directory Opus, FreeFTP / DirectFTP, LeapFTP, WinSCP, 32bit FTP, NetDrive, WebDrive, FTP Control, Opera, WiseFTP, FTP Voyager, Firefox, FireFTP, SeaMonkey, Flock, Mozilla, LeechFTP, Odin Secure FTP Expert, WinFTP, FTP Surfer, FTPGetter, ALFTP, Internet Explorer, Dreamweaver, DeluxeFTP, Google Chrome, Chromium / SRWare Iron, ChromePlus, Bromium (Yandex Chrome), Nichrome, Comodo Dragon, RockMelt, K-Meleon, Epic, Staff-FTP, AceFTP, Global Downloader, FreshFTP, BlazeFTP, NETFile, GoFTP, 3D-FTP, Easy FTP, Xftp, RDP, FTP Now, Robo-FTP, Certificate, LinasFTP, Cyberduck, Putty, Notepad++, CoffeeCup Visual Site Designer, FTPShell, FTPInfo, NexusFile, FastStone Browser, CoolNovo, WinZip, Yandex.Internet / Ya.Browser, MyFTP, sherrod FTP, NovaFTP, Windows Mail, Windows Live Mail, Becky!, Pocomail, IncrediMail, The Bat!, Outlook, Thunderbird, FastTrackFTP, Bitcoin, Electrum, MultiBit, FTP Disk, Litecoin, Namecoin, Terracoin, Bitcoin Armory, PPCoin (Peercoin), Primecoin, Feathercoin, NovaCoin, Freicoin, Devcoin, Frankocoin, ProtoShares, MegaCoin, Quarkcoin, Worldcoin, Infinitecoin, Ixcoin, Anoncoin, BBQcoin, Digitalcoin, Mincoin, Goldcoin, Yacoin, Zetacoin, Fastcoin, I0coin, Tagcoin, Bytecoin, Florincoin, Phoenixcoin, Luckycoin, Craftcoin, Junkcoin.

Stolen information for these applications is sent back to the Pony command and control server.

Interestingly, the command and control website that malware beacons out to, purports to have been hacked; visitors to the beacon web site are presented with the following web page:

Figure 7 Command and control web site

Figure 7 Command and control web site

Deeper investigation of the website reveals a Pony Malware administration login page:

Figure 8 Pony Botnet login page

Figure 8 Pony Botnet login page


Several years after first being discovered, Pony is still in use by cyber-criminal organisations.

To protect against Pony malware, we recommend that computer users are educated about the danger of opening attachments from unknown sources.

Antivirus should always be kept up to date, however, malware authors often change the signatures of their malware regularly using obfuscation and mutation techniques.  This sometimes allows them to bypass anti-virus (AV), so it is also vital that network activity is monitored 24/7 to ensure that botnet communication can be observed and addressed in a timely manner.

The use of two factor authentication is also recommended, so that if Pony does steal passwords they are useless without the second authentication method.

Finally, avoid using the same password for each service that you log in to.  This way, the damage can be minimised if Pony does steal your credentials.


  1. Rohitab API Monitor

  1. Process hacker

  1. Pony Botnet–It-s-a-Pony!/

To contact Nettitude’s editor, please email