The Quest for Visibility & Hunting Comes with an Unseen Opportunity Cost

There is so much emphasis in the cybersecurity market space on after-the-fact visibility into what bad things just happened. So much energy, time, money, strategy, and dialogue about it. The trouble is, it comes at a cost. For every moment we spend reacting, tracking down root cause analysis, examining forensics, peering at visibility, offsetting risks, running playbooks, and all the rest, we lose a moment to get ahead.

Some argue that prevention has failed us, and hence, we should retreat into reactive after-the-fact strategy and tooling. How many times must the bells of resilience and acceptable risk ring in our ears? Those concepts serve the business, and they are needed for us to message internally to other C-suite, directors, investors and customers alike. But these are not the concepts that should form the premise of our security strategy as CISOs and SECOPs.

Do we not realize the starkest of outcomes?  Even were we are able to have perfect visibility, perfect forensics, perfect root cause, perfect cyber insurance, and perfect human expertise and perfect cloud-based intelligence and visibility, we still would not have solved the one thing that will always overwhelm and outpace those controls?

Visibility After The Fact Means We Lost

Here we all are…on our heels, drowning in alert data, analysis paralysis, and burnout of even the greatest minds we have in our industry.

Here we are as an industry that continues to pour money and investments, time and strategy, into a massive security stack that strains SECOPs to the brink. We are digging ourselves into a hole that we may not be able to dig ourselves back out of if we don’t rapidly shift strategic focus.

Here we are thinking that hunting for threats already running in the environment is somehow proactive, empowering or worse, sexy.

If you are hunting around in an after-the-fact universe of events, you are not the Hunter…You are by definition, the Prey.
Here we are still chatting about breaches… because those are easy to tally the per-unit impact for, and subsequently offset via insurance. A 2013 story that we are still wrapping our heads around… as if tomorrow’s breaches will be the same low and slow TTP’s we fancy we might hunt for and get ahead of…by days? Weeks? Hours even?

Why would tomorrow’s breach need take any longer than today’s destructive worms?

Why would the same threat actors not employ both data theft and destruction into the same campaign? Oh wait, they already have been for the better part of 2019…

The Cloud Is No Place for Threat Hunting

Here we are, caught up in the Herculean move to the cloud. Yet, are we stopping to assess some of the most fundamentally basic weaknesses it will always have? For all of its virtues, the cloud will always be latent when it comes to addressing run-time threats on traditional IT endpoints. Even all the workloads we are moving to the cloud still have run-time security challenges that can outpace a cloud-to-cloud connection.

The cloud will always be a tethered affair. The cloud will always be on someone else’s steel, upon which there are up to a hundred sub operating systems, half of them Linux, and a large percentage of which have full access to the bus the OS is forced to entrust. The cloud will never be where your users are… the humans you are striving to protect. The cloud is homogeneously strong, and yet homogeneously weak. (See the latest OnApp discovery made by SkyLight!)  Most importantly, the cloud is a temptation… a temptation to build out intelligence platforms. And while it will always exceed in this capacity, it can never guarantee that the intelligence needed to make decisions and take actions faster than an adversary will be computed and delivered in time to actually make a difference in stopping today’s automated threats.

The key challenge for all security going forward can be reduced to this: can you make a high-enough confidence decision, or allow a high-enough confidence automated action, fast enough to matter, and without reliance upon a tether to the cloud?

By the year 2021, over 95% of all new vehicles will have autonomous automatic braking. Ask why this is so. Of course, the answer is because machines react faster than humans, never lose attention, never get tired. Now consider whether you would buy a car where this life-saving technology was being farmed out to a cloud server rather than being done locally on the machine. The point is we use the cloud where it makes sense to do so, and not where it doesn’t.

Why would anyone think it makes sense to try and beat malware anywhere else but on the machine right where the malware is located? The cloud has an underbelly exposed to many swords, chief among them is the time-penalty itself.

We Win On the Device

As this industry heads into 2021, let’s make sure we are lucid in this one critical regard.

We know that attacks have entropy… that they devolve into a fog of war, that they expand, that they cause exponential impact to an organization as every minute, every moment, goes by. 

And yet here we still are, heading into the year 2020, and we still haven’t solved the single most important challenge of our era; the process-level microsecond runtime universe the adversary has always had the upper hand in. They’ve been ahead of us there, and they’ve enjoyed it for far too long. The moment an unauthorized process completes tasks in memory… that very moment, is when we lose security control and are on our heels. Never mind zero days, call this moment zero, after which the pain begins.

What exasperates this even further is that this type of fast-moving threat is now found in both nation-state APT campaigns as well as commodity criminal/underground campaigns, making the sheer volume and diversity of the ‘speed” problem more profound than ever.

An Emotet-weaponized Word document is clicked, and in under three minutes, over 230 file events happen, 12 network connections to 9 malicious hosts are made, 46 new malicious processes spin up and 12 files are manipulated. And that is just on the patient zero host… before the same thing begins to play out host after host in the network, and before any secondary payloads or actions by a human attacker are commenced. This is a code on code battle being fought in the time domain of seconds and microseconds. And yet we see breach reports like 2019 IBM Cost of a Data Breach Report exclaim that the average time to identify a breach is 279 DAYS… a far cry from the 171 seconds (22s for Emotet and 149s for its payload) it takes Emotet to cause a severe impact. The same report offers hope, reminding us that hey, you can save $1.2M on average, if you simply contain the breach in under 200 days. Great…it will only cost you $2.7M at that point! 

All of this is orthogonal to the core challenge at hand: We need to get ahead of threats whether we are talking about ransomware or worm incidents that cost us $75B/year, or we are talking about after-the-fact breaches that cost us another $16B/year, or both. 

Let’s Remember This

The age of the slow-moving breach story has come and gone. Now, we must shift our strategies towards the current and future threat landscape, and realize that every minute we spend tooling for the after-the-fact past, is a minute lost in getting ahead of the adversary in ways that actually move the needle. In our quest to become merely “resilient”, we’ve exhausted the traditional means of risk offset, hindsight due-diligence and after-the-fact busy-ness. We are all collectively at the ultimate precipice, and it is time to leap off, and do so out of sheer necessity…because we cannot look forward and prepare, if we are constantly steeped in the past.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Salesforce Ventures invested $300M in Automattic while Salesforce was building a CMS

In September, Salesforce Ventures, the venture of arm of Salesforce, announced a hefty $300 million investment in Automattic, the company behind WordPress, the ubiquitous content management system (CMS). At the same time, the company was putting the finishing touches on Salesforce CMS, an in-house project it released last week.

The question is, why did it choose to do both?

One reason could be that WordPress isn’t just well-liked; it’s also the world’s most popular content management system, running 34 percent of the world’s 10 billion websites — including this one — according to the company. With Automattic valued at $3 billion, that gives Salesforce Ventures a 10 percent stake.

Given the substantial investment, you wouldn’t have been irrational to at least consider the idea that Salesforce may have had its eye on this company as an acquisition target. In fact, at the time of the funding, Automattic CEO Matt Mullenweg told TechCrunch’s Romain Dillet that there could be some partnerships and integrations with Salesforce in the future.

Now we have a Salesforce CMS, and a potential partnership with one of the world’s largest web content management (WCM) tools, and it’s possible that the two aren’t necessarily mutually exclusive.

Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin

Orvis, a Vermont-based retailer that specializes in high-end fly fishing equipment and other sporting goods, leaked hundreds of internal passwords on Pastebin.com for several weeks last month, exposing credentials the company used to manage everything from firewalls and routers to administrator accounts and database servers, KrebsOnSecurity has learned. Orvis says the exposure was inadvertent, and that many of the credentials were already expired.

Based in Sunderland, VT. and founded in 1856, privately-held Orvis is the oldest mail-order retailer in the United States. The company has approximately 1,700 employees, 69 retail stores and 10 outlets in the US, and 18 retail stores in the UK.

In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin.

Reached for comment about the source of the document, Orvis spokesperson Tucker Kimball said it was only available for a day before the company had it removed from Pastebin.

“The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.”

However, according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online.

Orvis did not respond to follow-up requests for comment via phone and email; the last two email messages sent by KrebsOnSecurity to Orvis were returned simply as “blocked.”

It’s not unusual for employees or contractors to post bits of sensitive data to public sites like Pastebin and Github, but the credentials file apparently published by someone working at or for Orvis is by far the most extreme example I’ve ever witnessed.

For instance, included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including:

-Antivirus engines
-Data backup services
-Multiple firewall products
-Linux servers
-Cisco routers
-Netflow data
-Call recording services
-DNS controls
-Orvis wireless networks (public and private)
-Employee wireless phone services
-Oracle database servers
-Microsoft 365 services
-Microsoft Active Directory accounts and passwords
-Battery backup systems
-Security cameras
-Encryption certificates
-Mobile payment services
-Door and Alarm Codes
-FTP credentials
-Apple ID credentials
-Door controllers

By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room.

The only clue about the source of the Orvis password file is a notation at the top of the document that reads “VT Technical Services.”

Holden said this particular exposure also highlights the issue with third parties, as the issue most likely originated not from Orvis staff itself.

“This is a continuously growing trend of exposures created not by the victims but by those that they consider to be trusted partners,” Holden said.

It’s fairly remarkable that a company can spend millions on all the security technology under the sun and have all of it potentially undermined by one ill-advised post to Pastebin, but that is certainly the reality we live in today.

Long gone are the days when one could post something for a few hours to a public document hosting service and expect nobody to notice. Today there are a number of third-party services that regularly index and preserve such postings, regardless of how ephemeral those posts may be.

“Pastebin and other similar repositories are constantly being monitored and any data put out there will be preserved no matter how brief the posting is,” Holden said. “In the current threat landscape, we see data exposures nearly as often as we see data breaches. These exposures vary in scope and impact, and this particular one is as bad as they come without specific data exposures.”

If you’re responsible for securing your organization’s environment, it would be an excellent idea to create some tools for monitoring for your domains and brands at Pastebin, Github and other sites where employees sometimes publish sensitive corporate data, inadvertently or otherwise. There are many ways to do this; here’s one example.

Have you built such monitoring tools for your organization or employer? If so, please feel free to sound off about your approach in the comments below.

The Good, the Bad and the Ugly in Cybersecurity – Week 45

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

This week, Google announced The App Defense Alliance. The new venture is a joint effort coordinated along with ESET, Lookout and Zimperium.

The overall goal is to ensure ongoing ‘safety’ of the official Google Play store, primarily finding and removing malicious apps from the marketplace. Potentially harmful applications and mobile malware have been a constant issue given the open nature of the Android marketplace, official or otherwise. This alliance hopes to curtail that by screening apps prior to their going ‘live’ on the Play store. App Defense Alliance partners can request that specific apps be analyzed, with subsequent results sent back to the requestor enriched with scan data and any intelligence gleaned from the analysis. Process-wise, the Google Play detection systems will be fully integrated with each partner’s scanning technology, allowing for a robust and multifaceted view of the app’s potential risk. A secure communication channel between Google and partners is also key to this effort. This allows for critical and expert-level vetting of code, above and beyond what occurs now. Naturally, this also generates more useful data around what is ‘good’ and what is ‘bad’. In the longer-term, this would benefit the entire ecosystem and enhance intelligence and reputation data around malicious behaviors and actors, including repeat offenders in the mobile space.

image of app defense alliance

The Bad

This week brought another round of ransomware attacks, targeting a variety of critical entities. We had multiple attacks make the news across Spain (Everis, Cadena SER) as well as the Lincoln County School District in Mississippi. Initial reports of the attack emerged on Monday morning. According to a statement from Lincoln County School District superintendent Mickey Myers:

“The district computer systems have been encrypted by a ransomware virus. This cyber-attack has adversely affected multiple systems in our network. We are investigating the incident with numerous agencies and will provide more information as soon as possible”.

According to current reports, the attack affected multiple sites, specifically affecting all internet-based communications across the district and a majority of the telecom systems. The district was quick to coordinate with local authorities as well as the FBI. As of this writing, there has not been confirmation on which specific family of ransomware was used in this attack. That being said, all cautions and standard caveats apply…Be prepared. Have tested and proven Backup, BCP, and DRP strategies in place. Better still, deploy a trusted security solution that beats ransomware attacks. 

The Ugly

All organizations should be hyper-aware (by now) that malicious insider activity is one of any environment’s largest threats. This holds true in both accidental AND intentional malicious actions. Now imagine an intentional bad actor with access to all your company’s customer support data. That alone is a treasure. Sprinkle in the fact that said bad actor also works for a well-known security company and you have the ‘perfect storm’: all the ingredients required for a modern “tech support” scam, backed by accurate personal data that the scammers can use to their advantage.

trend micro

This week it was reported that a Trend Micro employee was siphoning customer support data and selling it to a “malicious third party”. That 3rd party was a phone-based technical support scam operation that used data from approximately 68,000 Trend Micro customers. The scammers used this data to ‘inform’ the process of calling victims and attempting to extract personal and financial data from them. Phone-based support scans are not new, but this is a fresh reminder than even if the voice on the other end of the phone sounds like they have accurate data and valid info on your purchase of a specific product or service, they may still be adversarial.

The incident reportedly surfaced in August of 2019, with Trend Micro reaching a conclusion on the insider threat in October. Trend Micro released a statement on their blog highlighting the most important way to protect yourself from these types of scams: “TREND MICRO DOES NOT CALL CONSUMERS UNSOLICITED”.

The same holds true for your bank, the government/IRS, and other entities that are often tied to these scams and social engineering attempts. You can never be too careful.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Microsoft Teams gets Yammer integration, secure private channels and more

You’re forgiven if you thought Yammer — Microsoft’s proto-Slack, not quite real-time chat application — was dead. It’s actually still alive (and well) — and still serves a purpose as a slower-moving social network-like channel for company and team-wide announcements. Today, Microsoft announced that, among other updates, it will offer a Yammer integration in Teams, its Slack competitor. Yammer in Teams will live in the left-hand sidebar.

With this, Microsoft’s two main enterprise communications platforms are finally growing together and will give users the option to use Teams for fast-moving chats and Yammer as their enterprise social network in the same way Facebook messenger and its news feed complement each other.

Screen Shot 2019 10 31 at 2.36.27 PM

Oh, and Yammer itself has been redesigned, too, using Microsoft’s Fluent Design System across all platforms. And Microsoft is also building it into Outlook, too, to let you respond to messages right from your inbox. This new Yammer will roll out as a private preview in December.

With this update, Teams is getting a number of other new features, too. These include secure private channels, multi-window chats and meetings, pinned channels and task integration with Microsoft To Do and Planner (because having one to-do app is never enough). Microsoft is also making a number of enhancements to Teams Rooms, with upcoming support for Cisco WebEx and Zoom meetings, the Teams Phone System, which is getting emergency calling, and the IT management features that help admins keep Teams secure.

A Teams client for Linux is also in the works and will be available in public preview later this year.

Alpaca nabs $6M for stocks API so anyone can build a Robinhood

Stock trading app Robinhood is valued at $7.6 billion, but it only operates in the U.S. Freshly funded fintech startup Alpaca does the dirty work so developers worldwide can launch their own competitors to that investing unicorn. Like the Stripe of stocks, Alpaca’s API handles the banking, security and regulatory complexity, allowing other startups to quickly build brokerage apps on top for free. It has already crossed $1 billion in transactions within a year of launch.

The potential to power the backend of a new generation of fintech apps has attracted a $6 million Series A round for Alpaca led by Spark Capital . Instead of charging developers, Alpaca earns its money through payment for order flow, interest on cash deposits and margin lending, much like Robinhood.

“I want to make sure that people even outside the U.S. have access” to a way of building wealth that’s historically only “available to rich people” Alpaca co-founder and CEO Yoshi Yokokawa tells me.

Alpaca co-founder and CEO Yoshi Yokokawa

Hailing from Japan, Yokokawa followed his friends into the investment banking industry, where he worked at Lehman Brothers until its collapse. After his grandmother got sick, he moved into day-trading for three years and realized “all the broker dealer business tools were pretty bad.” But when he heard of Robinhood in 2013 and saw it actually catering to users’ needs, he thought, “I need to be involved in this new transformation” of fintech.

Yokokawa ended up first building a business selling deep learning AI to banks and trading firms in the foreign exchange market. Watching clients struggle to quickly integrate new technology revealed the lack of available developer tools. By 2017, he was pivoting the business and applying for FINRA approval. Alpaca launched in late 2018, letting developers paste in code to let their users buy and sell securities.

Now international developers and small hedge funds are building atop the Alpaca API so they don’t have to reinvent the underlying infrastructure themselves right away. Alpaca works with clearing broker NTC, and then marks up margin trading while earning interest and payment for order flow. It also offers products like AlpacaForecast, with short-term predictions of stock prices, AlpacaRadar for detecting price swings and its MarketStore financial database server.

AlpacaForecast

The $6 million from Spark Capital, Social Leverage, Portag3, Fathom Capital and Zillionize adds to $5.8 million in previous funding from investors, including Y Combinator. The startup plans to spend the cash on hiring to handle partnerships with bigger businesses, supporting its developer community and ensuring compliance.

One major question is whether fintech businesses that start to grow atop Alpaca and drive its revenues will try to declare independence and later invest in their own technology stack. There’s the additional risk of a security breach that might scare away clients.

Alpaca’s top competitor, Interactive Brokers, offers trading APIs, but other services as well that distract it from fostering a robust developer community, Yokokawa tells me. Alpaca focuses on providing great documentation, open-source contribution and SDKs in different languages that make it more developer-friendly. It will also have to watch out for other fintech services startups like DriveWealth and well-funded Galileo.

There’s a big opportunity to capitalize on the race to integrate stock trading into other finance apps to drive stickiness because it’s a consistent, voluntary behavior rather than a chore or something only done a few times a year. Lender SoFi and point-of-sale system Square both recently became broker dealers as well, and Yokokawa predicts more and more apps will push into the space.

Why would we need so many stock trading apps? “Every single person is involved with money, so the market is huge. Instead of one-player takes all, there will be different players that can all do well,” Yokokawa tells me. “Like banks and investment banks co-exist, it will never be that Bank of America takes 80% of the pie. I think differentiation will be on customer acquisition, and operations management efficiency.”

The co-founder’s biggest concern is keeping up with all the new opportunities in financial services, from cash management and cryptocurrency that Robinhood already deals in, to security token offerings and fractional investing. Yokokawa says, “I need to make sure I’m on top of everything and that we’re executing with the right timing so we don’t lose.”

The CEO hopes that Alpaca will one day power broader access to the U.S. stock market back in Japan, noting that if a modern nation still lags behind in fintech, the rest of the world surely fares even worse. “I want to connect this asset class to as many people as possible on the earth.”

Here We GO: Crimeware & APT Journey From “RobbinHood” to APT28

The Zero2Hero malware course with Vitali Kremez. Watch now!

The Zero2Hero course continues with Vitali Kremez exploring Golang malware through a comparison of Robbinhood ransomware and Zebrocy loader samples.

image of crimeware

We continue to observe both crimeware and advanced persistent threat (APT) malware variants found in the wild and during active targeted campaigns that are compiled in more non-traditional languages including Golang (Go) and Delphi programming languages. 

The goal of this lesson is to investigate and obtain necessary malware analysis and valuable intelligence from two specific Golang compiled binaries that we increasingly see leveraged by various adversaries.

The compiled executables of both of these languages are to an extent a kind of “kryptonite” to malware analysts. Historically, malware analysis and reverse engineering practitioners have focused mainly on C compiled malware; therefore, the majority of custom and commercial malware analysis tools have aimed to assist with such C compiled binaries.

Golang executable malware introduces some challenges for the traditional anti-virus detection model, which has mainly focused on more traditional C-programmed malware. These kind of engines tend to have lower static detections for samples written in this language. As an additional benefit to attackers, Golang binaries are fast and efficient and have a high operational performance due to Golang’s concurrency features and garbage collection. 

Such features allow various malware operators to achieve the desired malware state of “fully undetectable” (FUD). On the general cybercrime underground, such FUD malware means the malware developer can market and sell their wares more effectively; as a result, they make more profit when they can demonstrate that their malware samples really are FUD.

image of undetectable

In addition, various nation-state APT actors have also began adopting the Golang programming language for their payloads. This has been seen, for example, with the Russian state-sponsored group known as APT28, Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit. Such changes in threat actor methodology necessitate that we examine the internals of the Golang binaries closely in order to derive both more malware analysis and greater intelligence value.

Introduction to Golang Journey

Initially developed at Google, Golang is an open source programming language with extensive community support. Golang might be thought of as analogous to a healthy mix of the high-programming ease-of-use Pythonic syntactic “sugar”, with a dose of lower-level C++ compiled features. The standout feature of this language is concurrency with its “goroutines.”

When analyzed, some of the quirks of the compiled Golang executables include more complicated control flow graph (CFG) calls as well as garbage collection.

The positive side for analysts is that Golang binaries include a plethora of metadata and compilation artifacts. These can often be used to derive additional intelligence about the possible source path.

Golang Binaries: From RobbinHood Ransomware to APT28 Zebrocy

For the purpose of reviewing Golang binaries, we will focus on two prominent Golang malware variants:

  1. Crimeware: RobbinHood Ransomware
  2. APT: APT28 Zebrocy loader

Both of these binaries were linked to the major outbreaks that made media headlines. RobbinHood ransomware is widely known for holding hostage the City of Greenville and more recently disrupting major local government operations in the City of Baltimore. The APT28 Zebrocy loader is a malware tool widely deployed by the purported Russian-based intelligence agencies in targeting various government and political entities to deliver another malware of choice as needed.

Golang Malware Executables Share Common Features

  1. The RobbinHood ransomware is a Golang executable consisting of 2.8 MB (2855424 bytes) with 2724 functions.
  2. The APT28 Zebrocy loader is a Golang executable consisting of 4.5 MB (4508672 bytes) with 5459 functions.

We are assessing the similarities and differences of the two using the popular Diaphora binary diffing IDA plugin tool and CFF Explorer.

The Diaphora plugin showed the following results between the two Golang binaries:

image from diaphora

  • Best Matches: 1158 functions
  • Partial Matches: 1091 functions
  • Unreliable Matches: 109 functions
  • Unmatched in APT28 Loader: 396 functions
  • Unmatched in RobbinHood Ransomware: 3077 

It demonstrates that the separate Golang binaries share at least some similarities and best matches by either the same function hash, bytes hash, equal assembly and others. 

Another similarity between the two Golang samples are the sections as follows:

image of sections 

  • .rdata
  • .text
  • .idata
  • .symtab 

Both of the Golang binaries share the exact same import table with three static Windows dynamically linked libraries (DLL):

  • winmm.dll
  • ws2_32.dll
  • kernel32.dll

image of imports

Main Functions of Golang Malware

Leveraging IDA Golang Helpers tool, we assess and parse the Golang binaries trying to rename them. Then, based on the version, we try to add standard Go types and parse types by module data.

We make various attempts to parse the Golang section called “gopclntab”, which contains a function table routinely starting with the { FF FF FF FB 00 00 } bytes and containing the size of the table and offsets to the location of the first function, through which we can resolve the names of the functions.

The code from the helper functions demonstrates the parsing of the “gopclntab” table for module data and function renaming as well as version find.

The relevant parser code is as follows: 

 def getGopcln(self):
    gopcln_addr = self.getVal("gopcln")
    if gopcln_addr is None:
      gopcln_addr = Gopclntab.findGoPcLn()
      self.setVal("gopcln", gopcln_addr)
    return gopcln_addr

  def findModuleData(self):
    gopcln_addr = self.getGopcln()
    fmd = Firstmoduledata.findFirstModuleData(gopcln_addr, self.bt_obj)
    self.setVal("firstModData", fmd)
    return

  def renameFunctions(self):
    gopcln_tab = self.getGopcln()
    Gopclntab.rename(gopcln_tab, self.bt_obj)


image of goloader

The possible output reveals the oftentimes necessary structure definition and type assignment as follows, for example: 

According to moduleData struct it should be go1.8 or go1.9 or go1.10

Creating structure string
Creating structure slice
Creating structure __iface
Creating structure type
Creating structure arrayType
Creating structure chanType
Creating structure ptrType
Creating structure sliceType
Creating structure uncommonType
Creating structure method__
Creating structure structField
Creating structure structType
Creating structure imethod
Creating structure interfaceType
Creating structure funcType
Creating structure mapType
539d60 53ad6c 4df000
Processing: 4e9d00
PTR


1. The RobbinHood ransomware contains, for example, 2754 functions with only 26 main functions that affect the malware operation beyond static linking. Notably, Golang executables often preserve the original function names as developed by the developer.

image of robin hood functions

The function names are descriptive of the ransomware encryption processes (for example, “main_RsaEncrypt”) and help navigate the malware analysis to locate the functions of interest. 

2. The APT28 Zebrocy loader contains, for example, 5459 functions with only 16 main functions that affect the malware operation beyond static linking. Again, we see that the Golang executable likewise preserves the original function names as developed by the developer.

image of zebrocy functions

One of the key interesting analysis insights is the APT28 Golang executable relies heavily on various Golang open source code templates from GitHub including iamacarpet/go_win64api (ProcessList, InstalledSoftwareList, ListLoggedInUsers,SessionDetails/FullUser), shirou_gopsutil (host_Info), and kbinani/screenshot (NumActiveDisplays, GetDisplayBounds, CaptureRect) for its processes as noted with the function parsed prefixes “github_com” and the source paths above. 

Golang Metadata Artifacts

1. The RobbinHood ransomware contained the original source “main.go” path data stored in “.rdata” section as follows:

image of main go robin hood

  • C:/Users/valery/go/src/oldboy/config.go
  • C:/Users/valery/go/src/oldboy/functions.go
  • C:/Users/valery/go/src/oldboy/main.go

2. The APT28 Zebrocy loader contained the original source “main.go” data stored in “.rdata” section as follows:

image of main go Zebrocy

C:/!Project/C1/ProjectC1Dec/main.go

Conclusion

The Golang programming language has become a language of choice and adoption for some of the most notable crimeware and APT groups. Being able to recognize the primary features of Golang executables is increasingly important for malware analysis and reverse engineering. Some of the key elements of malware analysis of Golang executables involve locating “main” functions within the binary that affect the flow of the program as well as understanding the importance of “gopclntab”.

Additionally, developing good RE habits through coding in Golang assists with gaining malware analysis. Programming in Golang allows the analyst to understand and identify patterns, types, and module data that would assist in future during Golang malware analysis and reverse engineering. 

Referenced Malware Samples

APT28 Zebrocy UPX Packed Sample
SHA-256: 93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa

RobbinHood Ransomware Sample
SHA-256: 3bc78141ff3f742c5e942993adfbef39c2127f9682a303b5e786ed7f9a8d184b  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Cortana wants to be your personal executive assistant and read your emails to you, too

Only a few years ago, Microsoft hoped that Cortana could become a viable competitor to the Google Assistant, Alexa and Siri . Over time, as Cortana failed to make a dent in the marketplace (do you ever remember that Cortana is built into your Windows 10 machine?), the company’s ambitions shrunk a bit. Today, Microsoft wants Cortana to be your personal productivity assistant — and to be fair, given the overall Microsoft ecosystem, Cortana may be better suited to that than to tell you about the weather.

At its Ignite conference, Microsoft today announced a number of new features that help Cortana to become even more useful in your day-to-day work, all of which fit into the company’s overall vision of AI as a tool that is helpful and augments human intelligence.

Screen Shot 2019 10 31 at 3.25.48 PM

The first of these is a new feature in Outlook for iOS that uses Microsoft text-to-speech features to read your emails to you (using both a male and female voice). Cortana can also now help you schedule meetings and coordinate participants, something the company first demoed at previous conferences.

Starting next month, Cortana also will be able to send you a daily email that summarizes all of your meetings, and presents you with relevant documents and reminders to “follow up on commitments you’ve made in email.” This last part, especially, should be interesting, as it seems to go beyond the basic (and annoying) nudges to reply to emails in Google’s Gmail.

2019 11 01 0914

An early look at eFounders’ next batch of enterprise SaaS startups

European startup studio eFounders recently reached a portfolio valuation of $1 billion across 23 companies. And the company doesn’t want to stop there, as it is currently launching three new companies and products.

While software-as-a-service companies are trendy, eFounders has been exploring this space for a few years now. The company regularly comes up with ideas for new companies that improve the way we work.

In exchange for financial and human resources, eFounders keeps a significant stake in its startups. Ideally, startups raise a seed round and take off on their own after a year or two.

And here’s what eFounders has been working on.

Cycle

Cycle is a product management platform. And if you think about product management, it encompasses many things under one title, such as writing specs, planning a roadmap, assigning tasks and defining cycles or sprints.

Many startups use multiple tools for all those tasks. And sometimes, the tools they were using don’t scale well. Cycle will integrate with GitHub, Figma and Zendesk so that you can handle bugs, improvements and features more efficiently.

Finally, Cycle lets you generate product updates for your customers, create public roadmaps and collaborate with other people in your organization.

It has an Airtable vibe as you can create your own views and workflows depending on your needs. You can display data as a timeline, a to-do list, a kanban view, a normal list, etc.

Folk

Talking about Airtable, Folk is easy to describe. What if Salesforce and Airtable had a baby? It would look more or less like Folk.

Folk lets you manage your contacts more efficiently and collaborate with teammates. You can import your address book from iCloud, Gmail, Outlook, Excel and CSV files. You can then sort your contacts into groups, and add notes, reminders and tasks.

You also can create many views to go through your contacts. There’s a spreadsheet-like view, a kanban view, a calendar view and even a space view so you can create table layouts for an event.

It’s worth noting that eFounders CEO Thibaud Elziere is also going to be the CEO of Folk.

Once

Once is a new take on visual presentations. It lets you create stories using a drag-and-drop interface and generate a link to send your stories to your customers. Once supports everything you’d expect from an Instagram story, such as images, text, polls and sliders.

You also can embed tweets, YouTube videos or Google Maps addresses in your stories. The best part is that users don’t need to download an app or follow a brand on Instagram. It works in your mobile browser.

Salesforce announces new content management system

Salesforce has its fingers in a lot of parts of the customer experience, so why not content management? Today, the company announced a brand new tool called Salesforce Content Management System, which it says is designed from the ground up to deliver a quality customer experience across multiple channels.

The idea is to provide a way for customers to create, manage and deliver more meaningful content across multiple channels from within the Salesforce family of products. The company claims it doesn’t require any kind of deep technical knowledge to do it, meaning marketers and product people should be able to create and deliver content without the help of IT, once the system is properly set up.

Anna Rosenman, Salesforce’s VP of product marketing for Community Cloud, Commerce Cloud and Salesforce CMS, says the company created the new CMS to answer a customer demand. “Our customers have been asking for a dedicated CMS. The systems that they’ve been relying on so far tend to be legacy tools that are hard to use and built for a single-channel or site,” she said.

Photo: Salesforce

While users can create more personalized content based on what they know about the customer based on Salesforce data, Rosenman says the key differentiator here is the ability to connect to third-party systems. “A hybrid CMS provides a native experience channel or touchpoint, but also gives you the flexibility to present content to any touchpoint built on a third-party system,” she explained.

Tony Byrne, founder and principal analyst at Real Story Group, who has followed the Web CMS space for two decades, says this isn’t the first time that Salesforce has tried content management. The previous iteration was called Salesforce Sites. “They made big promises around that platform, got some major customers on board and then dropped it,” Byrne said.

He says it’s a major challenge to build a sophisticated multi-channel CMS. “It’s easy to build a simple CMS. It’s much harder to build an extensible, enterprise platform,” he said. He added, “There’s a lot of work they still need to do to feed other platforms around things like connectors, simulation, tracking, very advanced asset management (e.g., compound assets), object-oriented storage, etc.”

But Rosenman says the system’s built-in flexibility is designed to provide that, and even be used in conjunction with existing legacy tools if need be.

What’s interesting here is that Salesforce decided to build this tool, rather than buying a company and integrating it into the Salesforce family, an approach it has not been afraid to take in the past. In fact, the company pursues an aggressive acquisition strategy. This year alone it spent more than $15 billion to buy Tableau and another $1.35 billion to buy ClickSoftware.

In this case, in the tension between building and buying, it decided to build instead. Time will tell if that was a good decision or not.