AWS is bringing the cloud on prem with Outposts

AWS has always been the pure cloud vendor, and even though it has given a nod to hybrid, it is now fully embracing it. Today in conjunction with VMware, it announced a pair of options to bring AWS into the data center.

Yes, you read it correctly. You can now put AWS into your data center with AWS hardware, the same design they use in their own data centers. The two new products are part of AWS Outposts.

There are two Outposts variations — VMware Cloud on AWS Outposts and AWS Outposts. The first uses the VMware control panel. The second allows customers to run compute and storage on premises using the same AWS APIs that are used in the AWS cloud.

In fact, VMware CEO Pat  Gelsinger joined AWS CEO Andy Jassy onstage at AWS re:Invent for a joint announcement. The two companies have been working together for some time to bring VMware to the AWS cloud. Part of this announcement flips that on its head, bringing the AWS cloud on prem to work with VMware. In both cases, AWS sells you their hardware, installs it if you wish, and will even maintain it for you.

This is an area that AWS has lagged, preferring the vision of a cloud, rather than moving back to the data center, but it’s a tacit acknowledgment that customers want to operate in both places for the foreseeable future.

The announcement also extends the company’s cloud-native-like vision. On Monday, the company announced Transit Gateways, which is designed to provide a single way to manage network resources, whether they live in the cloud or on prem.

Now AWS is bringing its cloud on prem, something that Microsoft, Canonical, Oracle and others have had for some time. It’s worth noting that today’s announcement is a public preview. The actual release is expected in the second half of next year.

more AWS re:Invent 2018 coverage

Asana, a work management platform, nabs $50M growth round at a $1.5B valuation

Asana, a service that teams and individuals use to plan and track the progress of work projects, is doubling down on its own project: to shape “the future of work,” in the words of co-founder and CEO Dustin Moskovitz. The startup, whose products are used by millions of free and paying users, today is announcing that it has raised another $50 million in funding — a Series E that catapults Asana into unicorn status with a $1.5 billion valuation — to invest in international and product expansion.

Asana has been on a funding tear: It raised $75 million just 11 months ago at a $900 million post-money valuation, bringing the total this year to $125 million, and $213 million since being founded in 2008.

Led by Generation Investment Management — the London firm co-founded by former US Vice President Al Gore that also led that Series D in January — this latest round also includes existing investors 8VC, Benchmark Capital and Founders Fund as well as new investors Lead Edge Capital and World Innovation Lab.

Asana has lately been focused on international growth — half of its new sales are already coming from outside the US — and expanding its product as it inches toward profitability. These are the areas where its latest investment will go, too.

Specifically, it plans to open an AWS-based data center in Frankfurt in the first half of next year, and it will set down more roots in Asia-Pacific, with offices in Sydney and Tokyo. It is also hiring in both markets. Asana has customers in 195 countries and six languages, and it looks like it’s homing in on these two regions because it’s seeing the most traction there.

On the product side, the company has been gradually adding machine learning, predictive and other AI features and it will continue to do that as part of a “long-term vision for marrying computer and human intelligence to run entire companies.”

“Our role is to help leaders understand where their attention can be most useful and what to be focused on,” Moskovitz, pictured right with co-founder Justin Rosenstein, said to me in an interview earlier this month when describing the company’s AI push.

The funding caps off an active year for Asana.

In addition to raising $75 million in January, it announced 50,000 paying organizations and “millions” of free users in September. It also introduced new products and features, such as a paid tier, Asana for Business, for larger organizations managing multiple projects; Timelines for drilling into sequential tasks and milestones; and its first steps into AI, services that start to anticipate what users need to see first and prioritise, based on previous behaviour, which team the user is on, and so on:

Asana has been close to profitability this year, although it doesn’t look like it has quite reached that point yet. Moskovitz told me that in fact, it has held on to most of its previous funding (that’s before embarking on this next wave of ambitious expansions, though).

“We have so much money in the bank that we have quite a lot of options [and are in a] strong position so choose what makes the most sense strategically,” he said. “We’ve been fortunate with investors. The prime thing is vision match: do they think about the long-term future in the same way we do? Do they have the same values and priorities? Generation nailed that on so many levels as a firm.”

How Asana fits into the mix with Slack, Box and others

Asana’s growth and mission both mirror trends in the wider world of enterprise IT and collaboration within it.

Slack, Microsoft Teams, Workplace from Facebook and other messaging and chat apps have transformed how coworkers communicate with each other, both within single offices and across wider geographies: they have replaced email, phone and other communication channels to some extent.

Meanwhile, the rise of cloud-based services like Dropbox, Box, Google Cloud, AWS and Microsoft’s Azure have transformed how people in organizations manage and ultimately collaborate on files: the rise of mobile and mobile working have increased the need for more flexible file management and access.

The third area that has been less covered is work management: as people continue to multitask on multiple projects – partly spurred by the rise in the other two collaboration categories – they need a platform that helps keep them organised and on top of all that work. This is where Asana sits.

“We think about collaboration as three markets,” Moskovitz said, “file collaboration, messaging, and work management. Each of these has a massive surface area and depth to them. We think it’s important that all companies have tools that they use from each of these big buckets.”

It is not the only one in that big bucket.

Asana alternatives include Airtable, Wrike, Trello and Basecamp. As we have pointed out before, that competitive pressure is another reason Asana is on the path to continue growing and making its service more sticky.

Indeed, just earlier this month Airtable raised $100 million at a $1.1 billion valuation. Airtable has a different approach – its platform can be used for more than project management – but it’s most definitely used to build templates precisely to track projects.

You might even argue that Airtable’s existing offering could present a type of product roadmap for what might be considered next for Asana.

For now, though, Asana is building up big customers for its existing services.

The product initially got its start when Moskovitz and Rosenstein – as respectively as co-founder and early employee of Facebook – built something to help their coworkers  at the social network manage their workloads. Now, it has a range of users that include a number of other tech firms, but also others.

London’s National Gallery, for example, uses Asana to plan and launch exhibitions and business projects; the supermarket chain Tesco’s digital campaigns; Sony Music, which also uses it for marketing management but also to track a digitization project for its back music catalog; Uber, which has managed some 600 city expansions through Asana to date.

“At Generation Investment Management, we’re grounded in the philosophy that through strategic investments in leading, mission-driven companies we can move towards a more sustainable future,” said Colin le Duc, co-founder and partner, Generation Investment Management, in a statement.

“We see Collaborative Work Management as a distinct and rapidly expanding segment, and Asana has the right product and team to lead the market. Through Dustin and the team, Asana is changing how businesses around the world collaborate, epitomizing what it means to deliver results with a mission-driven ethos.”

macOS Spyware | The Dangers of a Fake CryptoWallet Keylogger

We investigate a macOS keylogger targeting Exodus cryptocurrency asset manager. Learn what to look out for and how to avoid similar spyware attacks.

Screenshot image SentinelOne created with dollars and bitcoins coming out of an opened waller with macOs Spyware the Dangers of a Fake CryptoWallet Keylogger displayed over it.

In early November, F-Secure reported a targeted campaign aimed at installing a keylogger on devices belonging to users of Exodus cryptowallet. According to their initial report, an email campaign pretending to offer an update for Exodus in fact tried to install spyware. The preliminary analysis indicated the scammers had repurposed a binary belonging to a commercial spyware app, RealTimeSpy. Although there’s no suggestion the developers of RealTimeSpy were involved, there is no doubt that those behind the email campaign hoped to install a version of RealTimeSpy on victims’ computers. It’s reasonable to assume the aim was to steal the contents of bitcoin wallets, but this macOS spyware can also steal other personal data through screenshots and keylogging. The program is also able to capture social networking activities and website visits.

In this post, we look into this incident in more detail and examine the implications of this kind of spyware.

 A screenshot image of Spyware email Campaign

Spyware with Low Chance of Success, but High Rewards

RealTimeSpy is a commercial product which, according to the developer’s website, is aimed at employers and parents who want to monitor their computers. We’ll leave aside the ethics of covert surveillance in such situations, noting only that the developers do make repeated efforts to warn that their software shouldn’t be installed on any device not owned by the installer. Verbose alerts are displayed when installing the spyware:

macOS Spyware Installation Warning Pop Up

Given this, and that there’s at least two authorization requests that follow, we would expect a low infection rate. The attackers did not make any attempts to remove or hide these alerts, such as through binary editing or splash screens with transparent buttons. That may have been due to a lack of technical skill, but we shouldn’t ignore the likelihood the authors were aware of this even as they planned their campaign. Any success would reap high rewards given the spyware’s capabilities. It’s worth noting that “Yes” is enabled by default, meaning that anyone put off by the lengthy text could reflexively hit the enter/return key before realising what they were doing. After installation, stealth is one of the key features the developers of RealTimeSpy promote.

Variants

This was not the first case of this trojan spyware. In fact, we found three different versions distributed in six fake apps since 2016:

1. Build A
First seen on VirusTotal in March 2017 in launchPad.app, this version of the spyware appears to have been created around November 2016. The same binary appears on VirusTotal as Macbook.app in September 2017, and again as Taxviewer.app in May 2018.

2. Build B
A slightly different version, picupdater.app, is created on July 31, 2018 and is first seen on VirusTotal the very next day.

3. Build C
Exodus-MacOS-1.64.1-update, the one seen in the email campaign, contains an updated version of the executable that was built on 31 October, 2018 and again first seen on VirusTotal the following day.

All the above are detected by 21 of the engines on VirusTotal, but we also discovered another version of this build, called HitBTC-listing-offer.app. This remains undetected on VirusTotal at the time of writing. Based on the name, it would also appear to be targeting bitcoin users:

HitBTC-listing-offer.app spyware

The core binary in all cases is a Mach-O 64-bit executable with the name rtcfg. All versions of the spyware have the same bundle identifier, system.rtcfg. Likewise, each contains a second executable in the Resources folder called relaunch.

Dropped Files

Upon successful installation, the malware uses AppleScript to add itself to the user’s Login Items. This appears to be its only means of persistence across boot ups, although the relaunch binary – as might be expected from the name – helps persist the rtcfg executable during the same session if it is killed for some reason.

Exodus-MacOS-1.64.1-update and friends also add themselves to System Preferences’ Accessibility Privacy pane, though for versions of macOS 10.12 or later this is disabled by default. This has a serious effect on the spyware’s capabilities, as we’ll see a little further on.

When all is functioning as intended, the rtcfg exec creates two invisible folders in the User’s home directory. ~/.rts records active app usage in a binary plist file called syslog:

A keylogger app usage script

The keylogger saves data in ~/.keys folder, also as a binary plist in consecutively numbered log files, skey1.log, skey2.log and so on.

keylogger keys.dat script

Two other files, both binary property lists containing serialized data, may also be dropped directly in the Home folder, ~/kspf.dat, and ~/ksa.dat.

keylogger binary plist files

 

Another Keylogger

Based on this analysis, we discovered another associated but different spyware item, detected by only two of 56 engines on VirusTotal:

macOS keylogger spyware on VT

ksysconfig.app appears to be a dedicated keylogger, and uses both a different bundle identifier, system.ksysconfig and different executable, ksysconfig, albeit clearly following a similar naming convention. Code analysis shows that ksysconfig is not just a renamed version of rtcfg binary, although there are clear similarities in both the classes and methods they use and the files they drop. ksysconfig also writes to ~/.keys directory, and to another invisible directory at ~/.ss. This contains another binary plist, sslist.data containing serialized object data.

The ksysconfig binary appears to be part of an application called “Keystroke Spy”. Given the code similarities, it looks as if it originates from the same developers as RealTimeSpy. Since this app wasn’t involved in the email scam campaign, we did not analyse it further.

AppleScript Strikes Out

One of the lines of code that stood out during our analysis in all these binaries was this one:

AppleScript Accessibility API

This code used to allow Accessibility control for any app in macOS prior to 10.9. It is essential for spyware as it allows the process access to UI elements. However, in 2013, Apple changed the way Accessibility works and this code is now ineffective. Our research indicates that the first version of rtcfg to appear on VirusTotal probably began life around November 2015, by which time this code was already redundant. The fake Exodus update app lists its minimum version as 10.6, so that indicates that either rtcfg included code from an older version, and/or the spyware is intended to target as wide a range of users as possible.

However, code that would have made it possible to enable Accessibility on macOS 10.9 to 10.11 is missing, although it would be a simple matter for it to be added in a future build. Despite that, there’s no way to do this programmatically on 10.12 or 10.13 (Mojave is another matter), so it looks as if the malware authors are out of luck unless their targets are way behind the times.

Command & Control?

Another interesting feature of this malware is that it does not have it’s own C2 structure, so how is it supposed to exfiltrate the user’s data? If we look at the offerings of the commercial spyware company, RealTimeSpy, it appears they expect their customers to view any data saved through an account on the company’s servers. One researcher who looked into the fake Exodus updater reported that the application repeatedly tried to log into an account at realtime-spy.com. We’re not sure if that was intentional or just a product of copying the binary from elsewhere, but our tests also confirmed there was no successful communication to any domains other than realtime-spy.com.

realtime-spy connections

Staying Safe

There’s no doubt that the intent of those behind the email campaign was to deceive and compromise the unwary. If successful, we’d be inclined to class this as a medium to severe threat due to the range of functions that a completed compromise would offer to the attacker. However, there are several barriers to success which reduce the severity of the risk.

First, by repurposing commercial software that includes multiple warnings to the user, even the most casual of users should spot that something is wrong even if they fall for the phishing email. As always, heed warnings and avoid the temptation to “click-through” modal alerts.

Second, the malware won’t work as intended on 10.12 or later unless the user takes further steps to enable it in the Privacy tab of System Preferences’ Security & Privacy pane. On Mojave that’s an even taller bar, as there’s at least three separate user settings that, ideally, would need to be manually activated. As we’ve warned elsewhere, consider carefully what you allow in this pane because it applies to all users on the system.

Those on 10.11 or earlier would be most at risk. The best remedy there is to upgrade. El Capitan is now three years out of date and suffers from a number of unpatched vulnerabilities. The risks of remaining on such an old version of macOS really should compel anyone still using it to upgrade.

Takeaways

In sum, this campaign to infect unsuspecting users with macOS spyware has small chance of success for the majority of users. Even so, a single compromise would hand an attacker everything they need to steal bitcoins and other valuable personal data from the unfortunate victim.

Indicators of Compromise

Filepaths
~/ksa.dat
~/kspf.dat
~/.ss/sslist.dat
~/.keys/keys.dat
~/.keys/skey[1].log
~/.rts/sys[001].log
/Applications/ksysconfig.app
~/Library/Application Support/rsysconfig.app

Hashes
Exodus-MacOS-1.64.1-update.app
ae2390d8f49084ab514a5d2d8c5fd2b15a8b8dbfc65920d8362fe84fbe7ed8dd

HitBTC-listing-offer.app
251d8ce55daff9a9233bc5c18ae6d9ccc99223ba4bf5ea1ae9bf5dcc44137bbd

picupdater.app
123c0447d0a755723025344d6263856eaf3f4be790f5cda8754cdbb36ac52b98

taxviewer.app
987fd09af8096bce5bb8e662bdf2dd6a9dec32c6e6d238edfeba662dd8a998fc

launchPad.app
b1da51b6776857166562fa4abdf9ded23d2bdd2cf09cb34761529dfce327f2ec

Macbook.app
2ec250a5ec1949e5bb7979f0f425586a2ddc81c8da93e56158126cae8db81fd1

ksysconfig.app
afe2ca5defb341b1cebed6d7c2006922eba39f0a58484fc926905695eda02c88


Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about macOS Security

Inside SearchPageInstaller | macOS Malware Deploys a MITM Attack

macOS Cryptomining Malware on the Rise

Inside Safari Extensions | Malware’s Golden Key to User Data

Inside Safari Extensions | Malicious Plugins Remain on Mojave

Command Line Intrusion | Mojave Blocks Admins, Too

The Weakest Link: When Admins Get Phished | MacOS “OSX.Dummy” Malware

AWS launches a base station for satellites as a service

Today at AWS re:Invent in Las Vegas, AWS announced a new service for satellite providers with the launch of AWS Ground Station, the first fully managed ground station as a service.

With this new service, AWS will provide ground antennas through their existing network of worldwide availability zones, as well as data processing services to simplify the entire data retrieval and processing process for satellite companies, or for others who consume the satellite data.

Satellite operators need to get data down from the satellite, process it and then make it available for developers to use in applications. In that regard, it’s not that much different from any IoT device. It just so happens that these are flying around in space.

AWS CEO Andy Jassy pointed out that they hadn’t really considered a service like this until they had customers asking for it. “Customers said that we have so much data in space with so many applications that want to use that data. Why don’t you make it easier,” Jassy said. He said they thought about that and figured they could put their vast worldwide network to bear on the problem.

Prior to this service, companies had to build these base stations themselves to get the data down from the satellites as they passed over the base stations on earth wherever those base stations happened to be. It required that providers buy land and build the hardware, then deal with the data themselves. By offering this as a managed service, it greatly simplifies every aspect of the workflow.

Holger Mueller, an analyst at Constellation Research, says the service will help put the satellite data into the hands of developers faster. “To rule real-world application use cases you need to make maps and real-time spatial data available in an easy-to-consume, real-time and affordable way,” Mueller told TechCrunch. This is precisely the type of data you can get from satellites.

The value proposition of any cloud service has always been about reducing the resource allocation required by a company to achieve a goal. With AWS Ground Station, AWS handles every aspect of the satellite data retrieval and processing operation for the company, greatly reducing the cost and complexity associated with it.

AWS claims it can save up to 80 percent by using an on-demand model over ownership. They are starting with two ground stations today as they launch the service, but plan to expand it to 12 by the middle of next year.

Customers and partners involved in the Ground Station preview included Lockheed Martin, Open Cosmos, HawkEye360 and DigitalGlobe, among others.

more AWS re:Invent 2018 coverage

AWS tries to lure Windows users with Amazon FSx for Windows File Server

Amazon has had storage options for Linux file servers for some time, but it recognizes that a number of companies still use Windows file servers, and they are not content to cede that market to Microsoft. Today the company announced Amazon FSx for Windows File Server to provide a fully compatible Windows option.

“You get a native Windows file system backed by fully-managed Windows file servers, accessible via the widely adopted SMB (Server Message Block) protocol. Built on SSD storage, Amazon FSx for Windows File Server delivers the throughput, IOPS, and consistent sub-millisecond performance that you (and your Windows applications) expect,” AWS’s Jeff Barr wrote in a blog post introducing the new feature.

That means if you use this service, you have a first-class Windows system with all of the compatibility with Windows services that you would expect, such as Active Directory and Windows Explorer.

AWS CEO Andy Jassy introduced the new feature today at AWS re:Invent, the company’s customer conference going on in Las Vegas this week. He said that even though Windows File Server usage is diminishing as more IT pros turn to Linux, there are still a fair number of customers who want a Windows-compatible system and they wanted to provide a service for them to move their Windows files to the cloud.

Of course, it doesn’t hurt that it provides a path for Microsoft customers to use AWS instead of turning to Azure for these workloads. Companies undertaking a multi-cloud strategy should like having a fully compatible option.

more AWS re:Invent 2018 coverage

AWS Lake Formation makes setting up data lakes easier

The concept of data lakes has been around for a long time, but being able to set up one of these systems, which store vast amounts of raw data in its native formats, was never easy. AWS wants to change this with the launch of AWS Lake Formation. At its core, this new service, which is available today, allows developers to create a secure data lake within a few days.

While “a few days” may still sound like a long time in this age of instant gratification, it’s nothing in the world of enterprise software.

“Everybody is excited about data lakes,” said AWS CEO Andy Jassy in today’s AWS re:Invent keynote. “People realize that there is significant value in moving all that disparate data that lives in your company in different silos and make it much easier by consolidating it in a data lake.”

Setting up a data lake today means you have to, among other things, configure your storage and (on AWS) S3 buckets, move your data, add metadata and add that to a catalog. And then you have to clean up that data and set up the right security policies for the data lake. “This is a lot of work and for most companies, it takes them several months to set up a data lake. It’s frustrating,” said Jassy.

Lake Formation is meant to handle all of these complications with just a few clicks. It sets up the right tags and cleans up and dedupes the data automatically. And it provides admins with a list of security policies to help secure that data.

“This is a step-level change for how easy it is to set up data lakes,” said Jassy.

more AWS re:Invent 2018 coverage

AWS launches a managed blockchain service

It was only a year ago that AWS CEO Andy Jassy said that he wasn’t all that interested in blockchain services. Clearly something has changed over the course of the last year because today, the company is launching two new blockchain services: Quantum Ledger Database and Amazon Managed Blockchain.

As the name implies, AWS Managed Blockchain is a managed blockchain service. It supports Ethereum and Hyperledger Fabric.

“This service is going to make it much easier for you to use the two most popular blockchain frameworks,” said AWS CEO Andy Jassy. He noted that companies tend to use Hyperledger Fabric when they know the number of members in their blockchain network and want robust private operations and capabilities. AWS promises that the service will scale to thousands of applications and will allow users to run millions of transactions (though the company didn’t say with what kind of latency).

Support for Hyperledger Fabric is available today. Ethereum support is launching a few months from now.

Getting started with Managed Blockchain is a matter of using the AWS Console and configuring nodes, adding members and deploying applications.

“When we heard people saying ‘blockchain,’ we felt like there was their weird conveluting and conflating what they really wanted,” said Jassy. “And as we spent time working with customers and figuring out the jobs they were really trying to solve, this is what we think people are trying to do with blockchain.”

more AWS re:Invent 2018 coverage

AWS Global Accelerators helps customers manage traffic across zones

Many AWS customers have to run in multiple zones for many reasons including performance requirements, regulatory issues or fail-over management. Whatever the reason, AWS announced a new tool tonight called Global Accelerators designed to help customers route traffic more easily across multiple regions.

Peter DeSantis, VP of global infrastructure and customer support at AWS speaking at an event Monday night at AWS Re:Invent explained that much of AWS customer traffic already flows over their massive network, and customers are using AWS Direct Connect to help applications get consistent performance and low network variability as customers move between AWS regions. He said what has been missing is a way to use the AWS global network to optimize their applications.

“Tonight I’m excited to announce AWS Global Accelerator. AWS Global Accelerator makes it easy for you to improve the performance and availability of your applications by taking advantage of the AWS global network,” he told the AWS re:Invent audience.

Graphic: AWS

“Your customer traffic is routed from your end users to the closest AWS edge location and from there traverses congestion-free redundant, highly available AWS global network. In addition to improving performance AWS Global Accelerator has built-in fault isolation, which instantly reacts to changes in the network health or your applications configuration,” DeSantis explained.

In fact, network administrators can route traffic based on defined policies such as health or geographic requirements and the traffic will move to the designated zone automatically based on those policies.

AWS plans to charge customers based on the number of accelerators they create. “An accelerator is the resource you create to direct traffic to optimal endpoints over the AWS global network. Customers will typically set up one accelerator for each application, but more complex applications may require more than one accelerator,” AWS’s Shaun Ray wrote in a blog post announcing the new feature.

AWS Global Accelerator is available today in several regions in the US, Europe and Asia.

more AWS re:Invent 2018 coverage

AWS Transit Gateway helps customers understand their entire network

Tonight at AWS re:Invent, the company announced a new tool called AWS Transit Gateway designed to help build a network topology inside of AWS that lets you share resources across accounts and bring together on premises and cloud resources in a single network topology.

Amazon already has a popular product called Amazon Virtual Private Cloud (VPC), which helps customers build private instances of their applications. The Transit Gateway is designed to help build connections between VPCs, which up until now has been tricky to do.

As Peter DeSantis, VP of global infrastructure and customer support at AWS speaking at an event Monday night at AWS Re:Invent explained, AWS Transit Gateway gives you a single set of controls that lets you connect to a centrally managed gateway to grow your network easily and quickly.

Diagram: AWS

DeSantis said that this tool also gives you the ability to traverse your AWS and on-premises networks. “A gateway is another way that we’re innovating to enable customers to have secure, easy-to-manage networking across both on premise and their AWS cloud environment,” he explained.

AWS Transit Gateway lets you build connections across a network wherever the resources live in a standard kind of network topology. “Today we are giving you the ability to use the new AWS Transit Gateway to build a hub-and-spoke network topology. You can connect your existing VPCs, data centers, remote offices, and remote gateways to a managed Transit Gateway, with full control over network routing and security, even if your VPCs, Active Directories, shared services, and other resources span multiple AWS accounts,” Amazon’s Jeff Barr wrote in a blog post announcing to the new feature.

For much of its existence, AWS was about getting you to the cloud and managing your cloud resources. This makes sense for a pure cloud company like AWS, but customers tend to have complex configurations with some infrastructure and software still living on premises and some in the cloud. This could help bridge the two worlds.

more AWS re:Invent 2018 coverage

Canada’s Corel is acquiring virtualization specialist Parallels in an all-cash deal

Some consolidation is afoot in the world of business software. TechCrunch has learned that Parallels, the virtualization specialist with millions of users, is getting acquired by Corel, the Canadian company behind design apps like CorelDraw and other productivity apps like WordPerfect.

Some employees at Parallels have already been briefed on the acquisition, which is expected to be announced to the whole company today. Terms have not been disclosed but we understand it is an all-cash deal.

Corel has changed ownership and gone in and out of being listed publicly a number of times since being founded in the 1980s in Ottawa. It’s now owned by Vector Capital, which is essentially the one buying Parallels.

From what we understand, Corel will keep Parallels an independent product.

Parallels was originally founded in 1999 with roots in Russia and is currently headquartered in Bellevue, Washington. It has never made much of a fanfare around its financing or valuation. According to PitchBook its last funding round was in 2015, an undisclosed amount from Endeavour Vision, KG Investments, Maxfield Capital, Savano Capital Partners and others. It had raised $300 million from Ingram Micro the year before that.

It’s not fully clear what the rationale was for the sale, except it seems many investors were longstanding and looking to exit, while Corel has slowly been consolidating a number of sodtware businesses, most recently before this, Gravit Designer from Germany earlier this year.

Parallels provides a number of products that help people work seamlessly across multiple platforms, essentially letting people (and IT managers) run a unified workflow regardless of the device or operating system, ranging from Windows, Mac, iOS, Android, Chromebook, Linux, Raspberry Pi and cloud — a particularly compelling offering in the current, fragmented IT climate.

Corel once had designs to take on Microsoft in the world of software — to be the Pepsi to Microsoft’s Coke, as I once saw it described. That didn’t really pan out, with Microsoft at the time having a vice grip on platform and software (this was before the rise of Google, the rebirth of Apple, the rise of apps, and other big shifts in the industry). At one point, Microsoft signed a partnership with Corel that saw it investing in the company: a sell out, as one disappointed Canadian journalist described it at the time.

The two have also sparred over patents.

These days Corel is “highly profitable”, says Vector, selling software that includes CorelDraw, WordPerfect, WinZip, PaintShop Pro, and WinDVD. You could potentially imagine Parallels existing alongside that, or even perhaps helping increase the functionality and usefulness of Corel’s other apps with more cross-platform functionality.

The Parallels deal is expected to close next year, our source said.

We have written both to Corel and Parallels and will update this post as we learn more.

There have been a number of enterprise software acquisitions with a view to legacy businesses raising their game in open source, cloud and other newer developments. The most notable of these has been IBM announcing its intent to acquire Red Hat for $34 billion in October.