How AdLoad macOS Malware Continues to Adapt & Evade

/0 Comments/in /by

Incidents of the aggressive AdLoad macOS malware have been increasing over the last few months as the malware continues to evade built-in macOS security and many third-party security solutions. AdLoad is certainly not new; it’s been around in one form or another since at least late 2017, but the developers have continued to adapt not only to avoid detection on installation but also to resist attempts to remove their malware. In this post, we take a deeper look into how AdLoad adapts and evades many macOS AV solutions as well as discuss how to properly detect and remove AdLoad malware.

image of adload

What is AdLoad?

AdLoad is an aggressive adware infection that installs a Man-in-The-Middle web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to hijack and redirect user’s web browsers for monetary gain.

AdLoad is a malware that installs under a variety of different names: Kreberisec, Apollo, Aphrodite SearchDaemon and many others. The names are not entirely random. Most follow a pattern along the lines of 

SearchDaemon
Lookup
DataSearch
Results

or some combination thereof.

Some of the more recent names used include ‘ElementarySignalSearchDaemon’, ‘ArtemisSearchDaemon’, ‘GlobalQuestSearchDaemon’, ‘TrustedMacResultsSearchDaemon’, ‘NetSignalSearchDaemon’, ‘SimpleSearchAppDaemon’, ‘SearchQuestDaemon’ and – breaking the mould a little – ‘SearchQuest’ and ‘ResultSync’ among many others.

Here’s a partial list of some of the most common names circulating at the moment.

AphroditeLookup
AphroditeResults
ApolloSearch
ApolloSearchDaemon
ArtemisSearch
ArtemisSearchDaemon
ElementaryDataSearch
ElementarySignalSearchDaemon
FindData
GlobalConsoleSearch
GlobalQuestSearch
GlobalQuestSearchDaemon
Kreberisec
NetSignalSearchDaemon
ResultSync
SearchQuest
SearchQuestDaemon
SimpleFunctionSearch
SimpleSearchAppDaemon
TrustedMacResultsSearchDaemon
WebSearchStride

This malware has been known for some time, with at least two variants known to Apple’s XProtect definitions from November 2017 or earlier. Despite that, versions of AdLoad are still being reported in the wild by macOS users on Apple Support Communities forums.

image of asc complaints

Unfortunately for many macOS users, neither XProtect nor many other simple static engines detect it.

image of adload virustotal detection

This rule from Apple’s current XProtect definitions effectively requires the scanned binary to contain the string “getSafariVersion” in order to trigger a detection.

image of adload xprotect detection

image of hex to string translation

Alas, malware authors have long since refactored their code and current variants no longer contain that string. That breaks XProtect’s ability to detect the malware with the above rule, since the rule specifies that string as necessary, though not sufficient, for a detection.

In order to avoid simple static detections, the files have different hashes, though they are often of similar size.

image of AdLoad Hashes

Hitting on distinctive method names shows the files to be variants of the same malware:

Interestingly, XProtect’s “Mughthesec” definition gets closer to current AdLoad static signatures.

image of mughthesec

image of mughthesec yara rule

This definition requires, among other things, that the binary contains strings including the substring fallback as well as BerTaggedData. As we’ll see later, that suggests a close link between AdLoad and Mughthesec malware, but it still fails to catch the AdLoad malware which, while it does use BerTaggedData, it does not contain the substrings with fallback.

And clearly while static signature detections on BerTaggedObject and other static features of the binary might be good while they last, like Apple’s XProtect signatures they won’t last long. Malware authors will soon refactor once their success-to-detection rate starts to tumble in the wrong direction. We’ll see how to more effectively detect and protect against this kind of malware below.

AdLoad Dropped Files

Victims of AdLoad will find that the malware drops files in both some of the usual, easy to find places used by macOS malware as well as some much lesser known areas that can be hard to detect. The adware typically presents an authorization dialog that asks for an admin password. On collecting the password, the malware uses the credentials to drop a number of files in both the user and local computer domains. First, it will drop not only a LaunchAgent in the local user Library but also two LaunchDaemons in the local domain Library.

The following uses SearchQuest as the example name, but of course this may be replaced with any one of the names and patterns mentioned above.

First, the LaunchAgent is dropped at
/Users/aUser/Library/LaunchAgents/com.SearchQuest.plist

and targets the following executable in its Program Arguments:
/Users/aUser/Library/Application Support/com.SearchQuest/SearchQuest

Next, the first of two LaunchDaemons is dropped at
/Library/LaunchDaemons/com.SearchQuestDaemon.plist

which targets a corresponding item in:
/Library/Application Support/com.SearchQuestDaemon/SearchQuest

The second LaunchDaemon, in this example, lands here:
/Library/LaunchDaemons/com.SearchQuestP.plist

and targets a hidden item in /var/root:
/var/root/.SearchQuest/SearchQuestDaemon

This item itself calls a python script in the same folder:
/var/root/.SearchQuest/SearchQuest --mode socks5 --showhost -q -s /var/root/.SearchQuest/SearchQuest.py

image of running processes

SearchQuest is an instance of mitmpoxy, and is used here to run the python script SearchQuest.py in “quiet” mode in order to open a connection with a remote host.

image of mitmproxy

The SOCKS Proxy is enabled for localhost:8080 in Network Settings and is persistent across restarts.

AdLoad, a Malware That Doesn’t Give Up

AdLoad doesn’t stop with a LaunchAgent and two LaunchDaemons in its attempt to maintain persistence. It also installs a user cron job and an executable in a subfolder of the user’s Library Application Support folder. The sub folder has a UUID-like hex pattern of 8-4-4-4-12 characters, and the executable inside it has a name with a different UUID-like hex with the same 8-4-4-4-12 pattern.

This is just a random example, the UUID numbers are unique to each user and are likely used as part of campaign tracking.

30 */2 * * * /Users/aUser/Library/Application Support/712B5686-92B3-919D-DD36-13A5745D87D2/74C08AE4-8ACE-51CA-54F7-0ED0A530ECAA h >/dev/null 2>&1}

This code runs every 2hrs and 30 minutes. The target of the cronjob is a Macho executable that imports Apple’s JavaScriptCore framework, which allows the binary to evaluate JavaScript scripts and likewise make available native objects, methods and functions to the JavaScript environment.

Optional Extras: AdLoad & Friends

In every infection I’ve seen of this malware to date, there’s always a number of others that appear to be brought along to the party. Tests in both VMs and ‘bare metal’ lab machines have proved inconclusive to date as to whether these additional installations are payloads directly dropped by AdLoad itself or are subsequent infections. We have seen a number of cases where a Pay-per-Install PUP installer delivers adware, which in turn delivers other PPI installers and further adware. The ties between the players in this game of monetizing unwanted downloads and browser hijacks seem to be becoming increasingly closer.

Adding to the variance in what gets installed is the way campaigns tailor payloads depending on local settings, which are usually harvested at install time. These include the geolocation of the victim, device make and model, operating system version and language settings.

Nevertheless, AdLoad is often frequently found alongside other adware/PUP installations variously known as “Mughthesec”, “SurfBuyer”, “Souter”, “MyShopcoupon”, “MMInstall” and “MMProt”. All use a similar infection mechanism, which begins with a redirect to a scam website that invites the user to download a “needed” Flash Player or other media player component. These are typically unsigned and the user is provided instructions on how to open the application by bypassing Apple’s built-in Gatekeeper and XProtect safeguards.

image of installer

Other IOCs to watch out for that we’ve seen on some occasions with this threat, albeit not consistently for reasons mentioned above, are

  1. modified sudoers file
  2. installation of the attackers SSH known_hosts key in ~/.ssh
  3. A configuration Profile to lock down browser settings (in System Preferences > Profiles)
  4. Browser extensions such as “AnySearch”, “SearchIt” and similar names
  5. Creation of folder /User/aUser/Applications and malicious files dropped therein

Detecting and Protecting Against AdLoad

SentinelOne customers are protected against AdLoad, which is detected as a threat and blocked when it tries to execute – regardless of how the malware is coded internally – as the AI behavioral engine detects the malicious behaviour rather than relies on static signatures.

For those who are not yet protected by SentinelOne, manual removal may be something of a race against time. With multiple persistence agents – launch agents, daemons, cron jobs and processes running in memory out of /var/root – it can sometimes take several attempts to beat all of these before one of them manages to re-write the deleted components back to disk. Somewhat like the malware itself, however, persistence does pay off. As long as you have identified all the malicious processes and persistence agents, repeatedly removing them will eventually beat the race.

Conclusion

We have seen an increasing number of reports of attempted AdLoad infections and increasing concern among macOS users. AdLoad is extremely difficult to remove for individual users, and even some 3rd party solutions that detect it after-the-fact are unable to outrun the malware’s multiple persistence mechanisms. Hopefully, this post has provided some insight in how to detect and remove the AdLoad malware. If you’d like to see how SentinelOne can autonomously protect your Mac users from this kind of threat, please contact us for a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Stealthy search startup Searchable.ai snags $2M seed

/0 Comments/in /by

Searchable.ai wants to solve an old problem around search in the enterprise. The stealthy startup announced a $2 million seed round.

Defy Partners led the round with a slew of other participants, including Paul English, co-founder of Kayak; Wayne Chang, co-founder of Crashlytics; Brian Halligan, co-founder and CEO of HubSpot; Jonathan Kraft, president and COO of the Kraft Group and the New England Patriots; MIT Prof. Edward Roberts; Eric Dobkin, founder and chairman emeritus of Goldman Sachs Global Equity Capital Markets; and Susquehanna International Group.

The prestigious group of investors saw that Searchable.ai is trying to solve a big problem around findability. Company co-founder Brian Shin says that knowledge workers have been struggling for years trying to find a way to better utilize all of the information that exists within an organization.

“The problem we’re really solving is that there are a trillion documents created every year in Microsoft Office, Google Docs, etc., and it’s really difficult if you’re a knowledge worker to find what you need in terms of either a document, an asset like a slide or worksheet within a document or the actual answer to a question that you have,” Shin said.

The questioning part could be particularly valuable because it lets you ask a natural language question and find a specific piece of information within a document, rather than just the document itself. “Let’s say you have a giant spreadsheet, you could actually ask a question of all your spreadsheets and find the atomic unit of knowledge that you’re actually looking for,” he said.

The product itself is not quite ready for the big reveal, but if it works as described, it will be a huge boost to knowledge workers who have continually struggled to find a nugget of information they know is out there across the myriad documents in an organization.

Shin is an experienced entrepreneur who has helped launch and sell three companies. He reports he has raised $100 million in venture capital and most recently has worked as a venture capitalist himself, but he saw this opportunity and decided to jump back into the development side of things.

He admits he’s giving up a lot to go back to the startup lifestyle, but he and his co-founders decided this was worth it. “You know the draw, the compulsion to do another startup is is really what this is about. So my three other colleagues and I have have all started companies before and we’re all giving up big jobs to do this, and I’m so excited about the team and the massive opportunity.”

He promised more details about the company and the solution would be coming early next year.

Kandji announces $3.375M seed for sophisticated Apple MDM solution

/0 Comments/in /by

Kandji, a new Apple MDM solution that promises to go far beyond Apple’s base MDM protocol and other solutions on the market, emerged from stealth today with a $3.375 million seed investment. The product is also publicly available for the first time starting today.

The round, which closed in March, was led by First Round Capital with help from Webb Investment Network, Lee Fixel, John Glynn and other unnamed investors.

Company co-founder and CEO Adam Pettit says the company’s founders have a deep knowledge in Apple. They all worked at Apple before leaving to run an Apple IT consultancy for more than 10 years.

He said that while they were at the consultancy, they developed a proprietary stack of tools to help with highly sophisticated Apple device deployments at large organizations, and it occurred to them that there was an unserved market opportunity to turn that knowledge into a new product.

Two years ago they sold the consultancy, took that knowledge and built Kandji from the ground up. Pettit says the new product gives customers access to a set of management tools that they would have charged six figures to implement at that their old firm.

One of the key differentiators between Kandji and other MDM solutions, or even Apple’s base MDM functionality, is a set of one-click compliance tools. “We’re the only product that has almost 200 of these one-click policy frameworks we call parameters. So an organization can go in and browse by compliance framework, or we have pre-built templates for companies that don’t necessarily have a specific compliance mandate in mind,” he said.

The parameters have all of the tools built-in to automatically deploy a set of policies related to a given compliance framework without having to go through and manually set all of those different switches yourself. On the flip side, if you want to get granular and create your own parameters, you can do that too.

He says one of the reasons he and his partners were willing to give up the big-dollar consultancy was because they saw a huge opportunity for firms that couldn’t afford those kind of services, but still had relatively large Apple device deployments. “I mean there’s a big need outside of just the specific kind of sophisticated compliance work we would do [at our previous firm]. We saw this big need in general for an Apple MDM solution like ours,” he said.

After selling their previous firm, the founders bootstrapped for a year while they developed the initial version of Kandji before seeking funding. Today, the company has 16 employees and a set of initial customers that have been testing the product.

Even after Microsoft wins, JEDI saga could drag on

/0 Comments/in /by

The DoD JEDI contract saga came to a thrilling conclusion on Friday afternoon, appropriately enough, with one final plot twist. The presumptive favorite, Amazon, did not win, stunning many, including likely the company itself. In the end, Microsoft took home the $10 billion prize.

This contract was filled with drama from the beginning, given the amount of money involved, the length of the contract, the winner-take-all nature of the deal — and the politics. We can’t forget the politics. This was Washington after all, and Jeff Bezos does own The Washington Post.

Then there was Oracle’s fury throughout the procurement process. The president got involved in August. The current defense secretary recused himself on Wednesday, two days before the decision came down. It was all just so much drama, even the final decision itself, handed down late Friday afternoon — but it’s unclear if this is the end or just another twist in this ongoing tale.

In a victory over Amazon, Microsoft wins $10B Pentagon JEDI cloud contract

Some perspective on $10 billion

Before we get too crazy about Microsoft getting a $10 billion, 10-year contract, consider that Amazon earned $9 billion last quarter alone in cloud revenue. Microsoft reported $33 billion last quarter in total revenue. It reported around $11 billion in cloud revenue. Synergy Research pegs the current cloud infrastructure market at well over $100 billion annually (and growing).

What we have here is a contract that’s worth a billion a year. What’s more, it’s possible it might not even be worth that much if the government uses one of its out clauses. The deal is actually initially guaranteed for just two years. Then there are a couple of three-year options, with a final two-year option at the end if it gets that far.

The DOD recognized that with the unique nature of this contract, going with a single vendor, it wanted to keep its options open should the tech world shift suddenly under its feet. It didn’t want to be inextricably tied to one company for a decade if that company was suddenly disrupted by someone else. Given the shifting sands of technology, that part of the strategy was a wise one.

Putting the Pentagon $10B JEDI cloud contract into perspective

Where the value lies

If the value of this deal was not the contract itself, it begs the question, why did everyone want it so badly? The $10 billion JEDI deal was simply a point of entree. If you could modernize the DoD’s infrastructure, the argument goes, chances are you could do the same for other areas of the government. It could open the door for Microsoft for a much more lucrative government cloud business.

But it’s not as though Microsoft didn’t already have a lucrative cloud business. In 2016, for example, the company signed a deal worth almost a billion dollars to help move the entire department to Windows 10. Amazon too, has had its share of government contracts, famously landing the $600 million to build the CIA’s private cloud.

But given all the attention to this deal, it always felt a little different from your standard government contract. Just the fact the DoD used a Star Wars reference for the project acronym drew more attention to the project from the start. Therefore, there was some prestige for the winner of this deal, and Microsoft gets bragging rights this morning, while Amazon is left to ponder what the heck happened. As for other companies like Oracle, who knows how they’re feeling about this outcome.

Microsoft shows off government cloud services with JEDI due date imminent

Hell hath no fury like Oracle scorned

Ah yes, Oracle; this tale would not be complete without discussing the rage of Oracle throughout the JEDI RFP process. Even before the RFP process started, they were complaining about the procurement process. Co-CEO Safra Catz had dinner with the president to complain that the contract process wasn’t fair (not fair!). Then it tried complaining to the Government Accountability Office. They found no issue with the process.

They went to court. The judge dismissed their claims that involved both the procurement process and that a former Amazon employee, who was hired by the DoD, was involved in the process of creating the RFP. They claimed that the former employee was proof that the deal was tilted toward Amazon. The judge disagreed and dismissed their complaints.

What Oracle could never admit was that it simply didn’t have the same cloud chops as Microsoft and Amazon, the two finalists. It couldn’t be that they were late to the cloud or had a fraction of the market share that Amazon and Microsoft had. It had to be the process or that someone was boxing them out.

Government denies Oracle’s protest of $10B Pentagon JEDI cloud RFP

What Microsoft brings to the table

Outside of the politics of this decision (which we will get to shortly), Microsoft brought to the table some experience and tooling that certainly gave it some advantage in the selection process. Until we see the reasons for the selections, it’s hard to know exactly why the DoD chose Microsoft, but we know a few things.

First of all there are the existing contracts with the DoD, including the aforementioned Windows 10 contract and a five-year $1.76 billion contract with DoD Intelligence to provide “innovative enterprise services” to the DoD.

Then there is Azure Stack, a portable private cloud stack that the military could stand up anywhere. It could have great utility for missions in the field when communicating with a cloud server could be problematic.

Microsoft continues to build government security credentials ahead of JEDI decision

Fool if you think it’s over

So that’s that right? The decision has been made and it’s time to move on. Amazon will go home and lick its wounds. Microsoft gets bragging rights and we’re good. Actually, this might not be where it ends at all.

Amazon, for instance, could point to Jim Mattis’ book where he wrote that the president told the then Defense Secretary to “screw Bezos out of that $10 billion contract.” Mattis says he refused, saying he would go by the book, but it certainly leaves the door open to a conflict question.

It’s also worth pointing out that Jeff Bezos owns The Washington Post and the president isn’t exactly in love with that particular publication. In fact, this week, the White House canceled its subscription and encouraged other government agencies to do so as well.

Then there is the matter of current Defense Secretary Mark Espers suddenly recusing himself last Wednesday afternoon based on a minor point that one of his adult children works at IBM (in a non-cloud consulting job). He claimed he wanted to remove any hint of conflict of interest, but at this point in the process, it was down to Microsoft and Amazon. IBM wasn’t even involved.

If Amazon wanted to protest this decision, it seems it would have much more solid ground to do so than Oracle ever had. An Amazon spokesperson would only say that the company “was keeping its options open.”

The bottom line is a decision has been made, at least for now, but this process has been rife with controversy from the start, just by the design of the project, so it wouldn’t be surprising to see Amazon take some protest action of its own. It seems oddly appropriate.

Why the Pentagon’s $10 billion JEDI deal has cloud companies going nuts

The Good, the Bad and the Ugly in Cybersecurity – Week 43

/0 Comments/in /by

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Upgrading legacy systems is a huge headache. Anyone involved in IT and systems engineering knows that. People involved in such processes are so reluctant to upgrade working (albeit ageing) systems that organizations hold on to legacy systems for years. When the systems in question manage the launch of nuclear missiles, the concerns are of different magnitude. That’s why we were delighted to learn that the US Airforce will stop using Floppy Disks for nuclear launch coordination. The Airforce currently uses an 8-inch floppy disks in a ’70s computer to receive orders from the President. According to the U.S. military, this antiquated system has been replaced by a “highly-secure solid-state digital storage solution.”

Anyone one who is old enough to remember the utter misery of working with these antiquated storage devices must be delighted that such a sensitive system is no longer reliant on 1980’s technology.

image of command data center

The Bad

The famous saying “there’s no honor among thieves” is apparently true for cyber espionage groups. The combined efforts of the UK National Cyber Security Centre (NCSC) and the NSA revealed that a Russian APT group “piggybacked” an Iranian APT infrastructure and tools to target 35 countries in an effort to obtain sensitive information. The APT group, nicknamed “Turla”, “Waterbug” or “VENOMOUS BEAR”, regularly collects information by targeting government, military, technology, energy and commercial entities.

Their latest trick involved the reuse of Iranian tools and infrastructure to disguise the origin of their activity. This is a dangerous step in the already escalating cyber warfare domain – the fact that one nation can masquerade as another can trigger a series of cyber operations that may lead to a kinetic conflict.

image of NSA cyber security centre

The Ugly

No one can afford to be lax on security, particularly companies that offer security-related services. That is the reality of doing business nowadays. But for a security-related company to get hacked and to delay disclosing the information to its clients for more than a year and a half is dismal.  

NordVPN, a virtual private network provider that promises to “protect your privacy online,” was breached back in March 2018.

“One of the data centers in Finland we are renting our servers from was accessed with no authorization,” a NordVPN spokesperson said.

The breach was the result of hackers exploiting an insecure remote-management system that administrators of a Finland-based data center installed on a server NordVPN leased. The breach was made public in a series of Tweets, exposing the fact that NordVPN keys had leaked.  

image of nord vpn breach

Although the company insists that no personal information was compromised, a log suggests that the hackers had root access, meaning they had almost complete control over the server and could read or modify just about any data stored on it.

In addition, it seems that two additional VPN services, TorGuard and VikingVPN, also experienced breaches that leaked encryption keys. 

These types of incidents raise serious concerns about the vendor’s credibility – were they aware of the hack but opted to keep that a secret? Or were they unaware of it for so long? Even worse, this is a service billed as one providing greater security and privacy for their customers, and it seems they did not deliver on their promise.  

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

How TrickBot Hooking Engine Targets Windows 10 Browsers

/0 Comments/in /by

The Zero2Hero malware course continues with Vitali Kremez revealing how TrickBot’s hooking engine targets Chrome, Firefox, Explorer and Edge in Windows 10

image of trickbot hooking engine

Background & Summary

TrickBot banking malware remains one of the more interesting and continually developing malware on the financial crimeware landscape. It employs multiple means and methods to exploit compromised machines of interest. The focus of this post is to cover in-depth some of its Windows 10 Microsoft Edge and other browser hooking engine functionality. We will focus on the internals, and how TrickBot leverages these browsers to set up hooks for API calls of interest. The ultimate goal of the malware browser hooking is predominantly to intercept online banking credentials before they become SSL encrypted. The stolen credentials can subsequently be used for account takeover (ATO) fraud.

image of trickbot hooking

Since Windows 10 came with a new browser, “Microsoft Edge”, TrickBot operators needed their banking malware to operate on that software. To implement form-grabbing and web injections in the Windows 10 Edge browser, TrickBot’s rogue rtlbroker hooks the microsoftedgecp.exe process. Normally, runtimebroker.exe is the parent process of the Microsoft Edge browser on Windows 10 machines. 

TrickBot Browser Process Injection Technique “Reflective Loader”

In order to hook browser functions, TrickBot malware injects the payload into the browser of choice via the so-called “ReflectiveLoader” methodology. 

The TrickBot process injection function targets four browsers from Microsoft Edge to Google Chrome and one Microsoft Edge related process.

image of trickbot browser injection

TrickBot injects the malware targeting the following processes:

  • chrome.exe
  • iexplore.exe
  • firefox.exe
  • microsoftedgecp.exe
  • runtimebroker.exe

The malware also “relaxes” browser security and write changes files locally before injection occurs.

image browser target

TrickBot’s reflective injection works as follows:

  • Open target process and allocate memory address in remote process via VirtualAllocEx
  • Copy function WriteProcessMemory into the allocated memory space
  • Copy shellcode WriteProcessMemory into the allocated memory space
  • Call FlushInstructionCache API to make sure our changes are written right away
  • Call inject RemoteThread function call
  • Call ResumeThread
  • Else, call undocumented API function RtlCreateUserThread to start execution in the remote process, using the offset address of the reflective loader function as the entry point.

TrickBot Hooking Engine

When the TrickBot banker hooks the API function, it enters the new hooked one and checks to make sure the process is microsoftedgecp.exe while passing control to the original one when the hooked function concludes.

image of trickbot create hook main function

The basic TrickBot banking API hooking template is as follows:

"CreateHook_API" Function Template ->

{ int CreateHook_API(LPCSTR DLL_name, int original_function_name,

	int myHook_function,	int address_of_original_function) }


By and large, TrickBot hooking engine works via overwriting the basic API with the redirect functions with the 0xe9 opcode, which is the call for a jump with 32-bit relative offset. TrickBot uses a trampoline function and the write hook call with the VirtualProtectEx API to make sure that the function has the 0x40 (PAGE_EXECUTE_READWRITE) property. Additionally, it attempts to conceal detection of this hooking technique via prepending NOP and/or RETN.

The exact TrickBot hook pseudo-code is as follows:

////////////////////////////////////////////////////////////////////
/////////////// TrickBot Hook Install Function ///////////////////////
///////////////////////////////////////////////////////////////////
signed int __cdecl TrickBot_Hook_Install(int myHook_function, int *function_address)
{
	char *original_function;
	char *current_func_id_thread;
	int v5;
	char jump_len;
	signed int result;
	SIZE_T v8;
	void *trampoline_lpvoid;
	int v10;
	int v11;
	unsigned __int8 jmp_32_bit_relative_offset_opcode;
	int relative_offset;
	DWORD flOldProtect;
	original_function = func_name;
	current_func_id_thread = func_name + 0x24;
	iter_func(func_name + 0x24, 0x90, 0x23);
	if ( function_address )		// Attempts to prepend "0x90" (nop) or "0xC3" (retn) to jump length to avoid basic hooking detect
		jump_len = walker_byte_0(*(_BYTE **)(original_function + 1), (int)current_func_id_thread, v5);
	else
		jump_len = 5;		// jump_length_trampoline -> 5

	original_function[5] = jump_len;

	if ( !jump_len )
		goto LABEL_12;		// Setting up the trampoline buffer
		write_hook_iter((int)(original_function + 6), *(_BYTE **)(original_function + 1), (unsigned __int8)jump_len);

	if ( function_address )
		*function_address = (int)current_func_id_thread;
	
	relative_offset = myHook_function - *(_DWORD *)(original_function + 1) - 5;
	v8 = (unsigned __int8)original_function[5];
	trampoline_lpvoid = *(void **)(original_function + 1);
	jmp_32_bit_relative_offset_opcode = 0xE9u;		// "0xE9" -> opcode for a jump with a 32bit relative offset

	if ( VirtualProtectEx((HANDLE)0xFFFFFFFF, trampoline_lpvoid, v8, 0x40u, &flOldProtect) )	// Set up the function for "PAGE_EXECUTE_READWRITE" w/ VirtualProtectEx
	{
		v10 = *(_DWORD *)(original_function + 1);
		v11 = (unsigned __int8)original_function[5] - (_DWORD)original_function - 0x47;
		original_function[66] = 0xE9u;
		*(_DWORD *)(original_function + 0x43) = v10 + v11;
		write_hook_iter(v10, &jmp_32_bit_relative_offset_opcode, 5); // -> Manually write the hook
		VirtualProtectEx(		// Return to original protect state
			(HANDLE)0xFFFFFFFF,
			*(LPVOID *)(original_function + 1),
			(unsigned __int8)original_function[5],
			flOldProtect,
			&flOldProtect);
	result = 1;


For instance, TrickBot malware sets up its own custom myCreateProcessA function prototype after the hook on CreateProcessA. The idea is to catch any instance of microsoftedgecp.exe execution to intercept it for subsequent injection. This function ultimately returns the flow back to CreateProcessA after intercepting and collecting necessary process execution information.

image hooked process

The following four API calls being hooked are in the child Microsoft Edge via rogue rtlbroker.dll, allowing TrickBot operators to intercept and manipulate Microsoft Edge calls:

  • CreateProcess
  • CreateProcessW
  • CreateProcessAsUserA
  • CreateProcessAsUserW

TrickBot hooks Internet Explorer and Microsoft Edge in wininet.dll library API calls:

  • HttpSendRequestA
  • HttpSendRequestW
  • HttpSendRequestExA
  • HttpSendRequestExW
  • InternetCloseHandle
  • InternetReadFile
  • InternetReadFileExA
  • InternetQueryDataAvailable
  • HttpQueryInfoA
  • InternetWriteFile
  • HttpEndRequestA
  • HttpEndRequestW
  • InternetQueryOptionA
  • InternetQueryOptionW
  • InternetSetOptionA
  • InternetSetOptionW
  • HttpOpenRequestA
  • HttpOpenRequestW
  • InternetConnectA
  • InternetConnectW 

The malware hooks Mozilla Firefox Browser in nspr4.dll library API calls:

  • PR_OpenTCPSocket
  • PR_Connect
  • PR_Close
  • PR_Write
  • PR_Read 

It hooks Chrome in chrome.dll library API calls:

  • ssl_read
  • ssl_write

Reference

injectDll32.dll C546D40D411D0F0BB7A1C9986878F231342CDF8B
rtlbrokerDll.dll 0785D0C5600D9C096B75CC4465BE79D456F60594
testnewinj32Dll.dll D5F98BFF5E33A86B213E05344BD402350FC5F7CD

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cybersecurity automation startup Tines scores $4.1M Series A led by Blossom Capital

/0 Comments/in /by

Tines, a Dublin-based startup that lets companies automate aspects of their cybersecurity, has raised $4.1 million in Series A funding. Leading the round is Blossom Capital, the venture capital firm co-founded by ex-Index Ventures and LocalGlobe VC Ophelia Brown.

Founded in February 2018 by ex-eBay, PayPal and DocuSign security engineer Eoin Hinchy, who was subsequently joined by former eBay and DocuSign colleague Thomas Kinsella, Tines automates many of the repetitive manual tasks faced by security analysts so they can focus on other high-priority work. The pair have bootstrapped the company until now.

“It was while I was at DocuSign that I felt there was a need for a platform like Tines,” explains Hinchy. “We had a team of really talented engineers in charge of incident response and forensics but they weren’t developers. I found they were doing the same tasks over and over again so I began looking for a platform to automate these repetitive tasks and didn’t find anything. Certainly nothing that did what we needed it to, so I came up with the idea to plug this gap in the market.”

To that end, Tines lets companies automate parts of their manual security processes with the help of six software “agents,” with each acting as a multipurpose building block. Therefore, regardless of the process being automated, it only requires combinations of these six agent types configured in different ways to replicate a particular workflow.

“I wanted there to be as few agent types as possible, to simplify the system, and I haven’t discovered a workflow in which tasks sit outside of these agents yet,” says Hinchy. “Once a customer signs up they can start automating their own workflows immediately, and most of our customers see value from day one. If they need a hand, my team works with them to establish how they currently manually carry out tasks, such as identifying and dealing with a phishing attack. Each step of dealing with the attack — from cross-checking the email address with trusted contacts or a blacklist, to scanning attachments for viruses or examining URLs — will be performed by one of the six agent types. This means we can assign these tasks to an agent to create the workflow, or as we call it, the “story.”

So, for example, once a phishing email triggers the first agent, the following steps in the “story” are automatically carried out. In this way, Tines might be described as akin to IFTTT, “but an exceptionally powerful, enterprise version of the IFTTT concept, designed to manage much more complex workflows.”

Competitors are cited as Phantom, which last year was acquired by Splunk, and Demisto, which was bought by Palo Alto Networks. However, Hinchy argues that a key differentiator is that Tines doesn’t rely on pre-built integrations to interact with external systems. Instead, he says the software is able to plug in to any system that has an API.

Meanwhile, Tines says it will use the new funding to hire engineers in Dublin who can help improve the platform through R&D, as well as grow its customer base with companies in the U.S. and in Europe. Notably, the startup plans to expand beyond cybersecurity automation, too.

“Our background is in security, so with Tines, we’ve initially focused on helping security teams automate their repetitive, manual processes,” says Hinchy. “What makes us different is that nowhere does it say we can’t expand beyond this, to help other teams and sectors automate tasks. The advantage of our direct-integration model is that Tines doesn’t care if you’re talking to a security tool, HR system or CRM, it treats them the same. In the next 18 months, we plan to expand Tines outside security, hire more talent and increase the product team from 8 to 20.”

Grafana Labs nabs $24M Series A for open source-based data analytics stack

/0 Comments/in /by

Grafana Labs, the commercial company built to support the open-source Grafana project, announced a healthy $24 million Series A investment today. Lightspeed Venture Partners led the round with participation from Lead Edge Capital.

Company CEO and co-founder Raj Dutt says the startup started life as a way to offer a commercial layer on top of the open-source Grafana tool, but it has expanded and now supports other projects, including Loki, an open-source monitoring tool not unlike Prometheus, which the company developed last year.

All of this in the service of connecting to data sources and monitoring data. “Grafana has always been about connecting data together no matter where it lives, whether it’s in a proprietary database, on-prem database or cloud database. There are over 42 data sources that Grafana connects together,” Dutt explained.

But the company has expanded far beyond that. As it describes the product set, “Our products have begun to evolve to unify into a single offering: the world’s first composable open-source observability platform for metrics, logs and traces. Centered around Grafana.” This is exactly where other monitoring and logging tools like Elastic, New Relic and Splunk have been heading this year. The term “observability” is a term that’s been used often to describe these combined capabilities of metrics, logging and tracing.

Grafana Labs is the commercial arm of the open-source projects, and offers a couple of products built on top of these tools. First of all it has Grafana Enterprise, a package that includes enterprise-focused data connectors, enhanced authentication and security and enterprise-class support over and above what the open-source Grafana tool offers.

The company also offers a SaaS version of the Grafana tool stack, which is fully managed and takes away a bunch of the headaches of trying to download raw open-source code, install it, manage it and deal with updates and patches. In the SaaS version, all of that is taken care of for the customer for a monthly fee.

Dutt says the startup took just $4 million in external investment over the first five years, and has been able to build a business with 100 employees and 500 customers. He is particularly proud of the fact that the company is cash flow break-even at this point.

Grafana Labs decided the time was right to take this hefty investment and accelerate the startup’s growth, something they couldn’t really do without a big cash infusion. “We’ve seen this really virtuous cycle going with value creation in the community through these open-source projects that builds mind share, and that can translate into building a sustainable business. So we really want to accelerate that, and that’s the main reason behind the raise.”

Stewart Butterfield says Microsoft sees Slack as existential threat

/0 Comments/in /by

In a wide ranging interview with The Wall Street Journal’s global technology editor Jason Dean yesterday, Slack CEO and co-founder Stewart Butterfield had some strong words regarding Microsoft, saying the software giant saw his company as an existential threat.

The interview took place at the WSJ Tech Live event. When Butterfield was asked about a chart Microsoft released in July during the Slack quiet period, which showed Microsoft Teams had 13 million daily active users compared to 12 million for Slack, Butterfield appeared taken aback by the chart.

Microsoft Teams chart

Chart: Microsoft

“The bigger point is that’s kind of crazy for Microsoft to do, especially during the quiet period. I had someone say it was unprecedented since the [Steve] Ballmer era. I think it’s more like unprecedented since the Gates’ 98-99 era. I think they feel like we’re an existential threat,” he told Dean.

It’s worth noting, that as Dean pointed out, you could flip that existential threat statement. Microsoft is a much bigger business with a trillion-dollar market cap versus Slack’s $400 million. It also has the benefit of linking Microsoft Teams to Office 365 subscriptions, but Butterfield says the smaller company with the better idea has often won in the past.

For starters, Butterfield noted that of his biggest customers, more than two-thirds are actually using Slack and Office 365 in combination. “When we look at our top 50 biggest customers, 70% of them are not only Office 365 users, but they’re Office 365 users who use the integrations with Slack,” he said.

He went on to say that smaller companies have taken on giants before and won. As examples, he held up Microsoft itself, which in the 1980s was a young upstart taking on established players like IBM. In the late 1990s, Google prevailed as the primary search engine in spite of the fact that Microsoft controlled most of the operating system and browser market at the time. Google then tried to go after Facebook with its social tools, all of which have failed over the years. “And so the lesson we take from that is, often the small startup with real traction with customers has an advantage versus the large incumbent with multiple lines of business,” he said.

When asked by Dean if Microsoft, which ran afoul with the Justice Department in the late 1990s, should be the subject of more regulatory scrutiny for its bundling practices, Butterfield admitted he wasn’t a legal expert, but joked that it was “surprisingly unsportsmanlike conduct.” He added more seriously, “We see things like offering to pay companies to use Teams and that definitely leans on a lot of existing market power. Having said that, we have been asked many times, and maybe it’s something we should have looked at, but we haven’t taken any action.”

Cachet Financial Reeling from MyPayrollHR Fraud

/0 Comments/in /by

When New York-based cloud payroll provider MyPayrollHR unexpectedly shuttered its doors last month and disappeared with $26 million worth of customer payroll deposits, its payment processor Cachet Financial Services ended up funding the bank accounts of MyPayrollHR client company employees anyway, graciously eating a $26 million loss which it is now suing to recover.

But on Oct. 23 — less than 24 hours before another weekly payroll rush — Pasadena, Calif.-based Cachet threw much of its customer base into disarray when it said its bank was no longer willing to risk another MyPayrollHR debacle, and that customers would need to wire payroll deposits instead of relying on the usual method of automated clearinghouse (ACH) payments (essentially bank-to-bank checks).

Cachet processes some $150 billion in payroll payments annually for more than 110,000 employers. But payroll experts say this week’s actions by Cachet’s bank may well soon put the 22-year-old company out of business.

“We apologize for the inconvenience of this message,” reads the communication from Cachet that went out to customers just after 6:30 PM ET on Oct. 23. It continued:

“Due to ongoing fraud protocol with our bank, they are requiring pre-funding via Direct Wire for all batches that were uploaded this week, unless employees were already paid or tax payments were already transmitted. This includes all batch files moving forward.”

All files that were uploaded today for collection and disbursement will not be processed. In order to process disbursement, we will need to receive a wire first thing tomorrow in order to release the disbursements.

All collections that were processed prior to today will be reviewed by the bank and disbursements will be released once the funds are cleared. Credit trans

Deadline for wires is 1 P.M. PST.

This will be the process until further notice. If you need a backup processor, please contact us.

If you require wire instructions, please respond to this email and they will be sent to you.

We welcome and anticipate your phone calls and inquiries. We remain committed to our clients and are determined to see this through. We appreciate and thank you for your patience and understanding.”

In a follow-up communication sent Thursday evening, Cachet said all debit transactions with a settlement date of Oct. 23 had been processed, but that any transactions uploaded after Oct. 23 were not being processed at all, and that wires are no longer being accepted.

“If they aren’t taking money, they’re out of business,” Friedl said of Cachet.

Cachet’s financial institution, Wilmington, Del. based The Bancorp Bank (NASDAQ: TBBK), did not respond to requests for comment.

Cachet also did not respond to requests for comment. But in an email Thursday evening, the company sought to offer customers a range of alternatives — including other providers — to help process payrolls this week.

Steve Friedl, an IT consultant in the payroll service bureau industry, said the Cachet announcement has sent payroll providers scrambling to cut and mail or courier paper checks to client employees.  But he said many payroll providers also use Cachet to process tax withholdings for client employees, and that this, too, could be disrupted by the funding changes.

“There’s a lot of same day stuff that goes on in the payroll industry that depends on people being honest and having money available at certain times,” Friedl said. “When that’s not possible because a bank in that process says it doesn’t want to be stuck in the middle that can create problems for a lot of people who are then stuck in the middle.”

Another payroll expert at a company that uses Cachet but who asked not to be named said, “everyone I know at payroll providers is scrambling to get it done another way this week” as a result of the decision by Cachet’s bank.

“Those bureaus will do whatever they can to keep their clients happy because something like this can quickly put them out of business,” the source said. “Unlike what happened with MyPayrollHR — which harmed consumers directly — the payment service bureaus are the ones potentially getting hurt here.”

Most corporate payroll is handled through ACH transactions, a system that allows financial institutions to push and pull funds to and from checking accounts between banks. ACH is essentially the same thing as writing a check for a good or service, and it typically involves an element of trust because there is a time delay (24-48h) between which the promised funds are released to the receiving bank and the funds are made available to the recipient.

In contrast, a wire transfer takes minutes and the funds are made available to the recipient almost immediately. Wires are also far more expensive for customers, and they earn banks hugely profitable processing fees, whereas ACH transaction fees are minuscule by comparison.

Ultimately, banks may decide that for certain clients they no longer wish to assume the risk of fraudsters exploiting the float period for ACH transactions to steal tens of millions of dollars, as was the case in the MyPayrollHR fiasco.

It’s worth noting that the MyPayrollHR fraud wasn’t the first time Cachet has been tripped up by the demise of a payroll company: In 2016, the collapse of Monterey, Calif. based payroll processor Pinnacle Workforce Solutions left Cachet holding the bag for more than $1 million. Cachet sued to recover the money stuck in Pinnacle’s frozen accounts. From The Monetery County Weekly:

“Cachet’s lawyers also outline possible nefarious action by Pinnacle. ACH companies act as middlemen for processing payroll and other large transactions. Every pay period, Pinnacle would send Cachet a coded file to tell the ACH how to distribute funds. But, on Sept. 21 [2016] Pinnacle had manipulated the code sent to Cachet so the money collected from its clients went directly to Pinnacle instead of being held in the ACH account before being distributed to its clients’ employees, the suit alleges.”

It will be interesting to see how long the fallout from the MyPayrollHR episode will last and how many other firms may get wiped because of it. Shortly after MyPayrollHR closed its doors last month and disappeared with $35 million in payroll and tax payments, the company’s 49-year-old CEO Michael Mann was arrested and charged with bank fraud.

The government alleges Mann was kiting millions of dollars in checks between his accounts at Bank of American and Pioneer from Aug. 1, 2019 to Aug. 30, 2019. The Times Union reports that Mann and his company are now being sued by Pioneer Bank and a large insurance company over a $42 million loan it gave to Mann and his companies just a month before his payroll business closed up shop.