Skip content
LRQA Cyber Labs

Malware Is Changing Daily! Are You Still Protected?

Jules Pagna Disso

 

A look at recent malware techniques
One of the biggest challenges in detecting and protecting against malware is that attackers continually change their techniques and behaviours. We have observed some interesting activities recently that are worth discussing in more detail.
Office macro security bypass 
Traditionally, when malware is embedded into Microsoft Office documents, it will require the user to activate macros.  In essence, if a computer user inadvertently opens a malicious document, the warning message to enable macros can be a red warning flag to users to instantly close the document. However, recently analysed malware embedded within Microsoft Office documents has adapted its technique.
Once the document is open, the user is presented with a blank page asking them to click on the button to download the content of the page. Once the user clicks on the button, they are then presented with another message box asking them to open the document which will then run the macro.

Figure 1 - Malware bypassing macro activation

Figure 1 – Malware bypassing macro activation


Further curiosity on the button “Display the content of the document” reveals that the author has embedded an object that can be accessed without the macro being enabled. In this case, the object was a visual basic (vb) script.
The analysis of this script revealed some interesting tricks used to bypass windows default security settings within PowerShell. The script uses a PowerShell ExecutionPolicy bypass. This will be explained in the next section.

Figure 2 - Office document with a vbs script as embedded object - the user does not need to enable macro

Figure 2 – Office document with a vbs script as embedded object – the user does not need to enable macro


PowerShell ExecutionPolicy bypass – no profile 
There is no doubt that the number of people who know about PowerShell is very limited within the end user community. Unless you are into some computer administration or scripting programming language or hacking/penetration testing, you are most likely not to be aware of PowerShell. Powershell is however installed in all recent versions of Microsoft Operating Systems by default.
Windows PowerShell extends the command line in new and exciting ways. It opens access to some of the operating system functions in ways that were previously possible only with extensive programming. For example, you can not only get the name of a particular user, but also retrieve the entire related user object. You can then manipulate the properties of this user object by referring to the properties you want to work with by name.
Windows PowerShell also has a non-interactive processing mode, which is used when executing a series of commands. In non-interactive processing mode, PowerShell reads and executes commands one by one but doesn’t present a prompt to the user. This aspect is what the malware is making use of in this case.  Using the non-interactive mode, the commands are executed without the knowledge of the user. In this scenario, the malware is bypassing the execution policy.
The execution policy is part of the security strategy of Windows PowerShell. It determines whether you can load configuration files (including your Windows PowerShell profile) and run scripts, and it determines which scripts, if any, must be digitally signed before they will run. However, using the “– Bypass”, nothing is blocked and there are no warnings or prompts. This feature was not however intended to block malware – sadly.
An effective way to reduce the risk of being compromised by malware such as this is to whitelist the applications that are allowed to run on a computer system. It is however true that the malicious user could have achieved their objective by using other methods. Hence, the targeted system will be better protected if the user does not download from untrusted sources or open unknown/unexpected documents from which the sender cannot be verified.
The figure below shows the vb script that was downloaded from the office document. As per the reference in the image, line 2 contains the instruction that will execute the malicious command. Line 2 was disabled and line 3 was created to display the malicious command instead.

Figure 3 - malware exploiting Microsoft Powershell

Figure 3 – malware exploiting Microsoft Powershell


Malware using a known port to hide their traffic: really? 
Protecting against malware that uses port 80 is generally difficult. However, it is possible to control what applications run on a certain port number. For instance, we have an instance of the Dradix malware running on port 8443.
Even though port 8443 is an official alternative of port 443, it would be easy to narrow down what applications use that port.  The ‘netstat’ command when executed as a privilege user can reveal if the port is open and which applications (process id) are currently connecting to that port.

Figure 4 - Quick command to determine which port is open and list connected applications

Figure 4 – Quick command to determine which port is open and list connected applications


The example below show Dradix malware configured to use port 8443.

Figure 5 - Extract from Dradix malware sample showing port 8443

Figure 5 – Extract from Dradix malware sample showing port 8443


Whitelisting the applications that are allowed to use certain ports could help in identifying malicious traffic.
Fake voicemail: double extension
On a different note, another strand of malware has been recently observed that is using an old trick. The malware will disguise itself as a voicemail.  The trick used here is the double extension. The malware appears to be a .wav but in fact it’s a .wav.exe
It is very common to have a voicemail. Also, by curiosity, it would be very easy to think “what’s the worst that can happen if I listen to this message”.

Figure 6 - Malware sample using double extension - fake voicemail

Figure 6 – Malware sample using double extension – fake voicemail


As seen in the above image, the file will look like a voicemail (audio file) but it’s not an audio file. As seen in the red box, the pretended voicemail is in fact an application.  The Golden rule remains valid: Do not trust unknown attachments or links. If you do not expect an attachment, contact the sender when appropriate. If it’s obvious that it’s malware, the best option would be to delete the fake voicemail.  In any doubt, it would better to delete the file. Like the saying goes, if it is important, they will call back.
The same technique could be used to target WhatsApp, Viber, Skype and any other social messenger that allows voice communications. For instance, people can be targeted with an email suggesting that they have received a voicemail from their friend in WhatsApp, Viber or Skype just to name a few. Fake voicemail is a really good technique that can be used during big events such as the elections (just around the corner in the UK at the time of writing!). Users can be tricked into listening to voicemail or a recording of secret conversations from politicians!
It is not, however, uncommon to have telephone services, especially voice over IP telephone services, which offer voicemail by email. Before trying to listen to a message that in fact does not exist, it is very important to verify the origin of the voicemail.
Conclusion
Malware is continually evolving. 24/7 effective monitoring is key in protecting from malware. This can be achieved with our Threat2Alert service https://www.threat2alert.com/. Nettitude can also provide expert research and deep dive investigations into malicious activity within your organisation.
It is also important to have an incident response procedure in place.  Effective security needs to be reviewed and updated based on the threat information available. Having knowledge of the current threats, malware behaviours and techniques will help determine the best security strategy to implement.

Latest Cyber Labs articles