The Good, the Bad and the Ugly in Cybersecurity – Week 5

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

This past week, the Indonesian National Police held a joint press conference with Interpol to announce the outcome of Operation Night Fury. This effort ultimately led to the arrest of three suspects responsible for a wave of Magecart attacks. It is alleged that these actors were behind several hundred (and possibly more) attacks on e-commerce sites, spanning the globe. The suspects were arrested in December and could face up to 10 years in prison. According to intelligence gathered, the criminals ran a multi-stage operation. At first they would compromise the e-commerce site to syphon off credit card data and personal details. They would then turn around and use the ill-gotten funds to purchase various goods before cashing-out by reselling the goods on local (Indonesian) sites.  

image of magecart press statement

Magecart attacks have been traced back to at least 2016 and have hit a number of high-traffic e-commerce sites. Some of these include Ticketmaster, NewEgg, British Airways, and MyPillow.com, so seeing these actors brought down is great win in the ongoing battle for e-commerce security.

The Bad

Emotet has not slowed down this year. As usual, we are finding that their social-engineering tactics and lures are as timely as ever. Some of the latest campaigns to come to light are taking advantage of the fears and uncertainties surrounding the latest coronavirus outbreak. Phishing and malspam campaigns which masquerade as official notifications from public sources about the health scare are being used to entice targets into downloading Emotet trojans. We have observed several versions of this campaign, all tailored to different locations, languages or dialects. They all basically entice the user into opening malicious attachments which appear to be official notices or information from health officials. During this time of uncertainty surrounding the outbreak of coronavirus, these lures are proving to be particularly successful.

The actors behind these campaigns show no restraint or tact when it comes to preying on the fear of the public. Be careful when opening email attachments (or don’t) and ensure that you are protected by an Active EDR solution that is able to protect against this and all other Emotet campaigns.

image of mask

The Ugly

By now we are all (hopefully) aware of the reason that popular social media platforms and apps are “free”. These services don’t ask for payment because they monetize your personal details and behavior patterns in return. That data is then worth large amounts of money to interested buyers. That being said, the last entity you would expect to meddle in this practice would be your security or AV vendor. Enter AVAST…

This week it was unveiled that the free anti-virus product AVAST was using its browser extension component to harvest user data. Their “Jumpshot” division would then sell this data to interested buyers. When news broke of this practice, AVAST stated that the information had been fully “de-identified” and therefore should not be of concern. To quote them directly:

“The data is fully de-identified and aggregated and cannot be used to personally identify or target you,”

However, a joint investigation by PCMag and Vice/Motherboard found that large collections of data can in fact be matched to individuals. According to VICE, some big-name companies are listed as buyers of the data scraped by “Jumpshot”, including Microsoft, Pepsi, Google and Home Depot. Even more troubling is that reportedly, most of AVAST’s user base had no idea that this practice was occurring.

image of avast jumpshot icon

The revelations about AVAST and Jumpshot’s practices have been long coming. In December of 2019, Senator Ron Wyden publicly investigated the company and specifically went after them on their troubling practices. Also, in December 2019, Mozilla removed AVAST products from their extension portal due to invasive practices. Others have followed suit.

Note: AVAST issued a press release on January 30, stating that they will be “winding down” the Jumpshot subsidiary.   

At the end of the day, you get what you pay for. But at the same time, the folks giving you free stuff usually want something in return. We all need to take time to become painfully aware of and familiar with how our data is being “ingested” during our day-to-day travels on the information superhighway. We don’t all like to take the time to understand that, but it is critical, and for the sake of privacy, an unfortunate necessity.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Arvind Krishna will replace Ginni Rometty as IBM CEO in April

IBM announced today that the board of directors has elected IBM senior vice president for Cloud and Cognitive Software Arvind Krishna to replace current CEO Ginni Rometty. He will take over on April 6th after a couple of months of transition. Rometty will remain with the company as chairman of the board.

Krishna reportedly drove the massive $34 billion acquisition of Red Hat at the end of 2018, and there was some speculation at the time that Red Hat CEO Jim Whitehurst was the heir apparent, but the board went with a more seasoned IBM insider for the job, while naming Whitehurst as president.

In a statement Rometty called Krishna the right man for the job, as she steps back after more than eight years on the job. “Through his multiple experiences running businesses in IBM, Arvind has built an outstanding track record of bold transformations and proven business results, and is an authentic, values-driven leader. He is well-positioned to lead IBM and its clients into the cloud and cognitive era,” she said in a statement.

She added that in choosing Krishna and Whitehurst, the board chose a technically and business savvy team to lead the company moving forward. It’s clear that the board went with two men who have a deep understanding of cloud and cognitive computing technologies, two areas that are obviously going to be front and center of technology for the foreseeable future, and areas where IBM needs to thrive.

Ray Wang, founder and principal analyst at Constellation Research, sees the CEO-president model as a sound approach. “It’s and inside-outside model. To truly understand IBM, you have to come from the inside [like Krishna], but to truly innovate you need someone on the outside [like Whitehurst] and that CEO-president model is helping,” he said.

Patrick Moorhead, founder and principal analyst at Moor Insights & Strategies, says that he was surprised by the timing of the announcement, which seemed to come out of nowhere. “I am a bit surprised at the speed of this announcement as I don’t believe there was a formal succession plan with a named successor. IBM has always had these and it was always apparent who the next CEO would be,” he said. That was not the case this time.

But like Wang, Moorhead likes the approach of having an “outsider” and long-time IBMer working in tandem. “Krishna spearheaded many of the next-generation IBM initiatives like the Red Hat acquisition, blockchain and quantum. I am also very pleased to see Whitehurst appointed president as now there’s an outsider and a long-time IBMer running the company in the number one and two spots,” he said.

Wang believes the new leaders have to honestly assess the company’s strengths and weaknesses and find ways to compete with today’s cloud companies for the hearts and minds of the enterprise customers.

“Today IBM is in an interesting position where the world has changed, and people go to Amazon or Salesforce or they go to Google or Workday or Microsoft. Companies still have a lot of IBM, they still trust IBM, but the new leadership team needs to figure out where the technology gaps are, which ones they need to build, which ones they need to partner, and in some cases say, this is not our market,” he said.

Even as Microsoft Azure revenue grows, AWS’s market share lead stays strong

When analyzing the cloud market, there are many ways to look at the numbers; revenue, year-over-year or quarter-over-quarter growth — or lack of it — or market share. Each of these numbers tells a story, but in the cloud market, where aggregate growth remains high and Azure’s healthy expansions continues, it’s still struggling to gain meaningful ground on AWS’s lead.

This has to be frustrating to Microsoft CEO Satya Nadella, who has managed to take his company from cloud wannabe to a strong second place in the IaaS/PaaS market, yet still finds his company miles behind the cloud leader. He’s done everything right to get his company to this point, but sometimes the math just isn’t in your favor.

Numbers don’t lie

John Dinsdale, chief analyst at Synergy Research, says Microsoft’s growth rate is higher overall than Amazon’s, but AWS still has a big lead in market share. “In absolute dollar terms, it usually has larger increments in revenue numbers and that makes Amazon hard to catch,” he says, adding “what I can say is that this is a very tough gap to close and mathematically it could not happen any time soon, whatever the quarterly performance of Microsoft and AWS.”

The thing to remember with the cloud market is that it’s not even close to being a fixed pie. In fact, it’s growing rapidly and there’s still plenty of market share left to win. As of today, before Amazon has reported, it has a substantial lead, no matter how you choose to measure it.

Daily Crunch: IBM names new CEO

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Arvind Krishna will replace Ginni Rometty as IBM CEO in April

Krishna, IBM’s senior vice president for cloud and cognitive software, will take over on April 6 after a couple months of transition. Rometty will remain with the company as chairman of the board.

Krishna reportedly drove the massive $34 billion acquisition of Red Hat at the end of 2018, and there was some speculation at the time that Red Hat CEO Jim Whitehurst was the heir apparent. Instead, the board went with a more seasoned IBM insider for the job, while naming Whitehurst as president.

2. Apple’s redesigned Maps app is available across the US, adds real-time transit for Miami

The redesigned app will include more accurate information overall as well as comprehensive views of roads, buildings, parks, airports, malls and other public places. It will also bring Look Around to more cities and real-time transit to Miami.

3. Social media boosting service exposed thousands of Instagram passwords

The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext.

4. Elon Musk just dropped an EDM track on SoundCloud

That is a real headline and I probably don’t need to say much else. Listen to the track, or don’t.

5. Being a child actress prepared me for a career in venture capital

Crystal McKellar played Becky Slater on “The Wonder Years,” and she writes about how that experience prepared her to be a managing partner at Anathem Ventures. (Extra Crunch membership required.)

6. Moda Operandi, an online marketplace for high-end fashion, raises $100M led by NEA and Apax

High-end fashion might not be the first thing that comes to mind when you think about online shopping, but it has actually been a ripe market for the e-commerce industry.

7. Why Sony’s PlayStation Vue failed

Vue launched in March 2015, offering live and on-demand content from more than 85 channels, including many local broadcast stations. But it failed to catch on with a broader audience, despite — or perhaps, because of — its integration with Sony’s PS3 and PS4 devices, and it shut down this week. (Extra Crunch membership required.)

Rapid Threat Hunting with Deep Visibility – Feature Spotlight

As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with fast, super fast mitigation actions. You need the ability to search your fleet for behavioral indicators such as those mapped by the Mitre ATT&CK framework with a single-click, and you need to automate threat hunts for known attacks or according to your own criteria. SentinelOne’s Deep Visibility with True Context ID allows you to do all that and more, faster than ever before. Let’s take a look.

 

What is True Context ID?

SentinelOne’s Deep Visibility empowers you with rapid threat hunting capabilities thanks to our patented True Context ID technology. Each autonomous SentinelOne Agent builds a model of its endpoint infrastructure and real-time running behavior. True Context ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the True Context ID to quickly find all related processes, files, threads, events and other data with a single query.

image of console and true context id

With True Context ID, Deep Visibility returns full, contextualized data that lets you swiftly understand the root cause behind a threat with all of its context, relationships and activities revealed from one search.

True Context ID lets threat hunters understand the full story of what happened on an endpoint. Use it to hunt easily, see the full chain of events, and save time for your security teams.

Deep Visibility Comes With Ease of Use

Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The SentinelOne Deep Visibility query language is based on a user-friendly SQL subset that will be familiar from many other tools.

The interface assists you in building the correct syntax with completion suggestions and a one-click command palette. This saves you time and spares threat hunters the pain of remembering how to construct queries even if they are unfamiliar with the syntax.

image of command palette

A visual indicator shows whether the syntax is valid or not so you don’t waste time waiting for a bad query to return an error. Let’s search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:

image of query language

We also provide a great cheatsheet to rapidly power-up your team’s threat hunting capabilities here.

Use Case: Responding to Incidents

Let’s suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? It’s fast and simple to run a query across your environment to find out.

In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette and then select or type =. Now, paste the hash to complete the query.

image of use case 1

This is how easy it is even for members of your team with little or no experience of SQL-style syntax to construct powerful, threat hunting queries.

The results will show all endpoints that ever had the file installed. It’s as simple as that.

image of results

Results Come Fast, No Time For Coffee!

SentinelOne handles around 10 billion events a day, so we understand that when you query huge datasets, you cannot wait hours for the results. Deep Visibility returns results lightning fast, and thanks to its Streaming mode can even let you see the results of subqueries before the complete query is done.

Deep Visibility query results show detailed information from all your SentinelOne Agents, displaying attributes like path, Process ID, True Context ID and much more.

With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.

Fast Query on MITRE Behavioral Indicators

As a threat hunter, querying the MITRE ATT&CK framework has likely become one of your go-to tools. SentinelOne’s Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the Mitre ID.

image of mitre search

For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:

IndicatorDescription Contains "T1055"

There’s no need to form seperate queries for different platforms. With SentinelOne, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.

image of mitre indicators

Stay Ahead With Automated Hunts

SentinelOne’s Deep Visibility is designed to lighten the load on your team in every way, and that includes giving you the tools to set up and run custom threat hunting searches that run on a schedule you define through Watchlists.

With Watchlists, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. Your organization is secure while you or your team are not on duty.

Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set”, choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.

image of watchlists

Deep Insight At Every Level

SentinelOne’s Deep Visibility is built for granularity. You can drill-down on any piece of information from a Deep Visibility query result. Each column shows an alphabetical list of the matching items. You can filter for one or more items. In a row of a result, you can expand the cell to see details. For most details, you can open a submenu and drill-down even further. Alternatively, you can use the selected details to run a new query.

image of new query

Conclusion

Threat hunting lets you find suspicious behavior in its early stages before it becomes an attack that will generate alerts. It supplements the automated rules of detection tools, which require a high level of confidence that behavior is suspicious before an alert is generated. But effective threat hunting needs to result in less work for your busy analysts while at the same time providing more security for your organization, its data, services and customers. With SentinelOne’s Deep Visibility, you gain deep insight into everything that has happened in your environment. Deep Visibility gives you not only visibility but also ease of use, speed and context to make threat hunting more effective than ever before. If you would like to know more contact us today or try a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

OpsRamp raises $37.5M for its hybrid IT operations platform

OpsRamp, a service that helps IT teams discover, monitor, manage and — maybe most importantly — automate their hybrid environments, today announced that it has closed a $37.5 million funding round led by Morgan Stanley Expansion Capital, with participation from existing investor Sapphire Ventures and new investor Hewlett Packard Enterprise.

OpsRamp last raised funding in 2017, when Sapphire led its $20 million Series A round.

At the core of OpsRamp’s services is its AIOps platform. Using machine learning and other techniques, this service aims to help IT teams manage increasingly complex infrastructure deployments, provide intelligent alerting and eventually automate more of their tasks. The company’s overall product portfolio also includes tools for cloud monitoring and incident management.

The company says its annual recurrent revenue increased by 300% in 2019 (though we obviously don’t know what number it started 2019 with). In total, OpsRamp says it now has 1,400 customers on its platform and alliances with AWS, ServiceNow, Google Cloud Platform and Microsoft Azure.

OpsRamp co-founder and CEO Varma Kunaparaju

According to OpsRamp co-founder and CEO Varma Kunaparaju, most of the company’s customers are mid to large enterprises. “These IT teams have large, complex, hybrid IT environments and need help to simplify and consolidate an incredibly fragmented, distributed and overwhelming technology and infrastructure stack,” he said. “The company is also seeing success in the ability of our partners to help us reach global enterprises and Fortune 5000 customers.”

Kunaparaju told me that the company plans to use the new funding to expand its go-to-market efforts and product offerings. “The company will be using the money in a few different areas, including expanding our go-to-market motion and new pursuits in EMEA and APAC, in addition to expanding our North American presence,” he said. “We’ll also be doubling-down on product development on a variety of fronts.”

Given that hybrid clouds only increase the workload for IT organizations and introduce additional tools, it’s maybe no surprise that investors are now interested in companies that offer services that rein in this complexity. If anything, we’ll likely see more deals like this one in the coming months.

“As more of our customers transition to hybrid infrastructure, we find the OpsRamp platform to be a differentiated IT operations management offering that aligns well with the core strategies of HPE,” said Paul Glaser, vice president and head of Hewlett Packard Pathfinder. “With OpsRamp’s product vision and customer traction, we felt it was the right time to invest in the growth and scale of their business.”

Hyperledger Fabric, the open source distributed ledger, reaches release 2.0

The open source Hyperledger Foundation announced the release of Hyperledger Fabric 2.0 today, the first such project to reach a 2.0 release.

It’s a notable milestone. The blockchain as a business tool has certainly had a rocky road over the last few years, but there is still plenty to like about smart contracts that have automated compliance checks built in. Hyperledger Fabric 2.0 has lots of new features with that in mind.

The biggest updates involve forcing agreement among the parties before any new data can be added to the ledger, known as decentralized governance of the smart contracts. In practice, it means that the system will prevent any entity from writing to the ledger until there is consensus among the parties involved in the transaction, a basic blockchain tenet.

This is a requirement because the beauty and the curse of the distributed ledger is that it is an immutable record. Once you have written something in the ledger, it becomes very difficult to change it without the agreement of all those involved in the contract. You want to make sure you get it right before you commit something to the ledger.

Along those same lines, developers can build in automated checks along the way. As they say, this ensures the parties can “validate additional information before endorsing a transaction proposal.”

Brian Behlendorf, Executive Director at Hyperledger and a big advocate of open source distributed ledger technology, says this is a big milestone for the project and the organization as it looks to help organizations adopt distributed ledger technology.

“Fabric 2.0 is a new generation framework developed by and for the enterprises that are building distributed ledger capabilities into the core of their businesses. This new release reflects both the development and deployment experience of the Fabric community and confirms the arrival of the production era for enterprise blockchain,” Behlendorf said in a statement.

That remains to be seen. The rise of blockchain in business has moved at a slow pace, but this release shows that the open source community is still committed to building enterprise-grade distributed ledger technology. Today’s announcement is another step in that direction.

Sprint Exposed Customer Support Site to Web

Fresh on the heels of a disclosure that Microsoft Corp. leaked internal customer support data to the Internet, mobile provider Sprint has addressed a mix-up in which posts to a private customer support community were exposed to the Web.

KrebsOnSecurity recently contacted Sprint to let the company know that an internal customer support forum called “Social Care” was being indexed by search engines, and that several months worth of postings about customer complaints and other issues were viewable without authentication to anyone with a Web browser.

A redacted screen shot of one Sprint customer support thread exposed to the Web.

A Sprint spokesperson responded that the forum was indeed intended to be a private section of its support community, but that an error caused the section to become public.

“These conversations include minimal customer information and are used for frontline reps to escalate issues to managers,” said Lisa Belot, Sprint’s communications manager.

A review of the exposed support forum by this author suggests that while none of the posts exposed customer information such as payment card data, a number of them did include customer account information, such customer names, device identifiers and in some cases location information.

Perhaps more importantly for Sprint and its customers, the forum also included numerous links and references to internal tools and procedures. This sort of information would no doubt be of interest to scammers seeking to conduct social engineering attacks against Sprint employees as way to perpetrate other types of fraud, including unauthorized SIM swaps or in gleaning more account information from targeted customers.

Earlier this week, vice.com reported that hackers are phishing workers at major U.S. telecommunications companies to gain access to internal company tools. That news followed a related Vice report earlier this month which found ne’er-do-wells are now getting telecom employees to run software that lets the hackers directly reach into the internal systems of U.S. telecom companies to take over customer cell phone numbers.

The misstep by Sprint comes just days after Microsoft acknowledged that a database containing “a subset of information related to customer support interactions was accessible to the internet between the dates of Dec. 5 and Dec. 31, 2019.” Microsoft said it was alerting individuals whose information was exposed, which included location information, email and IP addresses, telephone numbers and descriptions of technical issues.

A message Microsoft sent to customers affected by their recent leak of customer support data.

This week marked the annual observance of Data Privacy Day, an occasion in which we are reminded to be more judicious about the types of personal information we voluntarily share on social media and other Web sites. But both the Microsoft and Sprint stumbles are a reminder that billion-dollar companies very often expose this information on our behalf, even when we are doing everything within our power to safeguard it.

Scripting Macs With Malice | How Shlayer and Other Malware Installers Infect macOS

The Myth of the Safe Mac is something we’ve written about before, but sometimes it takes a startling statistic to get people’s attention. Research suggesting that 10% of all Kaspersky-protected Macs had been hit by Shlayer malware in 2019 certainly caught the attention of last week’s news cycle, and hopefully it’s the sort of stat that can serve as a wake-up call to those who still ask in 2020 “Do Macs get viruses?” (by which, of course, they mean ‘do Macs get infected with malware?’).

The resounding answer to that is “Yes, of course they do!”, and they’re getting infected at increasing rates because malware authors have adapted and evolved their techniques. In this post, we’ll explore in more detail the infection method adopted by Shlayer and other malware families recently. This method has proven to be an effective means of beating built-in macOS security controls and, indeed, a number of end user protection tools, too.

image of scripting macs with malice

Why Threat Actors Are Turning to Scripts

Until recently, most threat actors approached macOS infection in pretty much the same way. From adware to OSX.Dok and APT Lazarus group targeted attacks, the first stage infection is typically a standard Apple application bundle containing a malicious machO binary file. The machO is to macOS what PE is to Windows or ELF to Linux: the standard system executable format at the heart of GUI applications.

image of shroomcourt adware

The problem with such compiled binaries from a threat actor’s point of view is that they have a lot of code surface for detection. Legacy-style AV will scan binaries on execution, while macOS itself will check such binaries for Notarization and codesigning on first launch. The life of a binary file downloaded from the internet is one of a series of hurdles to leap over. And on top of that, building and compiling new binaries to beat hash and Yara rule checks is also more work for attackers than they would like.

Using a scripting language offers attackers a number of advantages. They’re easier to iterate on, they’re harder to scan, and although they can technically be codesigned, they don’t have to be, and that codesigning is in any case a brittle and easily removed extended attribute. But scripts have a couple of disadvantages, too. First, they still have to lose the Gatekeeper “quarantine bit” (read here if you’re not familiar with how Gatekeeper works); and second, asking victims to download and execute a sketchy-looking script is not a convincing look for malware that’s trying to pass itself off as a legitimate application.

Shlayer and related adware installers like Bundlore have got around both of these problems with surprising ease. Attackers have realized that due to increasing security controls on legitimate applications, many macOS users have become familiarized with the process and are undaunted by the prospect of simply overriding their own security preferences. Instructions like this allow even non-admin users to override Gatekeeper with two-clicks and let the malware launch.

image right click to bypass macOS security

The second problem was never really a problem to begin with, but it took malware authors a while to either catch on to, or bother to implement, the fact that the file format inside an application bundle can be anything you like – it doesn’t have to be a machO. A python or shell script will do just as well. Moreover, with clever uses of aliases and filenames, attackers don’t even need to use an application bundle at all. While a scary-looking shell script might put some potential victims on alert, a nice icon like this will look harmless enough to many others.

image of player dmg

Inside Shlayer.a malware

The image above shows how the Shlayer.a variant presents itself to users when they mount the disk image that contains it. The disk image is typically downloaded by users who have been tricked through social engineering to believing they need to update Adobe Flash player.

However, switch views in the Finder and then toggle hidden files with the hotkey Command-Shift-Period, and we can see there’s a bunch of other files hidden away on the disk image. Note the enc file, which is called by the Player.command shell script.

image of hidden malicious files in dmg

This version is relatively simple, but still clever. The hidden enc script decodes into the following second stage shell script, which downloads and launches the next stage in the form of a malicious app in a subfolder of the /tmp folder.

image of early shlayer variant

The code

$ mktemp -d /tmp/XXXXXXXXX

offers the malware an easy way to generate a random folder name. The number of Xs determine the length, and the mktemp command helpfully generates a random string of that length.

image of mktemp

Shlayer.a has been around for 18 months or so, and aside from the download URL, it hasn’t changed much in that time. Despite that, at the time of writing the most recent sighting of Shlayer.a on VirusTotal was 2 hours ago; malware authors don’t persist with unsuccessful strategies, so Shlayer.a is clearly still very much a going concern.

image of shlayer a on virustotal

Inside Shlayer.d malware

A more recent version increases the complexity and the size of the shell script and uses a very different technique. If you run the file command on both samples, you’ll notice that they are both Bash scripts but the newer sample contains binary data:

image of shlayer_d file type

Our newer sample has also ballooned to 1.7MB compared to the slim-Jim Shlayer.a version of 181 bytes. If we open that in Vi, we’ll get 6000 lines or so of binary. From within Vi, we can call the xxd utility to get a clearer picture of what’s going on. The firsts 400 lines or so are a shell script with a base64 encoded string for input.

image of shlayer_d

Decoding that reveals another script embedded within it:

image of shlayer_d embedded script

and more base64 code at Line 17, which defines the variable _t.

image shlayer_d second stage base64

Note how the script itself leverages the xxd utility to decode its own binary data. The final Line 18 at the end of the data reveals the command that will be run:

eval "$(_m "$_t" "$_y")"

Let’s change that eval to echo to print out the next stage.

image of shlayer final stage decryption

As we can see, the script jumps through quite a few hoops before gathering operating system version and machine ID. As with Shlayer_a, it then downloads and executes the payload from a subfolder within /tmp, making use of the mktemp utility. The payload is then deleted and, for good measure, the script kills the Terminal.app as its final act.

Inside Bundlore: Friends of the Shlayer Family

As mentioned at the beginning of this post, other researchers have covered the more recent Shlayer.e variant, which uses Python rather than Bash to achieve much the same thing, so I won’t repeat their analysis here, but the technical details are certainly worth reading up on.

Throughout the above, I’ve followed the naming conventions used by Kaspersky in order to facilitate readers following the story from there or elsewhere, but as you’ll notice if you look at the detections on VirusTotal, there is a wide variety of names for the Shlayer malware, with some engines identifying Shlayer variants as Bundlore variants and vice versa. Given the fluidity and similarity between samples of Shlayer and Bundlore, let’s look at a sample that offers a different twist on what we saw above.

The final sample I want to take a look at uses very similar techniques as the previous Shlayer samples, although it is tagged by Kaspersky as “OSX.Bnodlero.x” and by a number of other vendors as “Bundlore-CJ”. Let’s use Pacifist to inspect and extract the disk image’s contents.

image of bundlore installer

In terms of distribution and packaging, we see the sample is a DMG containing an installer.app. The app’s icon is an image that resembles the familiar .pkg image, and the main executable is once again a shell script. However, the script is somewhat different to the earlier ones, and it’s worth taking a look at from a defenders point of view.

While the Shlayer samples above all eventually called out to a URL to retrieve the final payload, this sample packs an encrypted payload within the Installer.app bundle itself. The two files of interest in the Installer.app bundle are the script executable and the file with a random name in the Resources folder. While the executable name is a randomly generated string of alphanumeric characters, note that the name of the file in the Resources folder is the same string reversed.

Let’s start by decoding the base64 in the script. Here’s the encoded and decoded version side-by-side.

image of decrypted bundlore script

After decryption, we find that the script writes a machO binary to a subfolder in the /tmp folder, again using mktemp but this time with a 12-character length. The script creates a bundle structure for the executable, giving it a random Bundle Identifier from hashing the date command and running it through base64 before formatting it with tr to delete unwanted characters.

The script then gives the new bundle executable permissions and launches it using the built-in open command. The script then promptly deletes the bundle and its parent directory from the filesystem, leaving nothing to be found as the source of infection.

Conclusion

In this post, we’ve seen how threat actors are easily able to convince users to override their own security settings, and how these same bad actors are using scripts as opposed to the more easily detectable and harder to iterate native binary format as the initial installer. Many legacy AV scanners don’t even recognize scripts as executables, and as the parent process will be the scripting language’s executable (e.g., /bin/bash or /usr/bin/python), these may also bypass security solutions that whitelist such tools. The best way to protect users from these kind of threats is with a behavioral solution that does not care what file type is used or what parent process is invoked, and which of course cannot be overridden by the user on the endpoint.

Sample Hashes

Shlayer.a:
a45a770803ad44eca678e74a5a10c270062c449c8ed6c6ac5a2b3217881272ad
da500f8821dde25cff8bba0e9dd5bf2d8efa8b188718f93287960969eec1b6b7

Shlayer.d: – First Stage
c32199390872536e45f0cc9d5a55e23ed5b0822772555b57def9aeb22cfdcb49

Shlayer.d: – Second Stage
f968eec32cbc625d8c3ef27c5a785be6c3a84df1344569f329da18dc66beb9a2

OSX.Bnodlero.x: – First Stage
962dd0564f179904c7ae59e92c6456a2906527fc2dc26480d25ef87b28bd429a

OSX.Bnodlero.x: – Decrypted machO
6dd68a2b1375d47f99d7219aa5131bbab008bf0ae73784836b8c46b3e1d8f461


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Greylock’s Reid Hoffman and Sarah Guo to talk fundraising at Early Stage SF 2020

Early Stage SF is around the corner, and we are more than excited for this brand new event. The intimate gathering of founders, VCs, operators and tech industry experts is all about giving founders the tools they need to find success, no matter the challenge ahead of them.

Struggling to understand the legal aspects of running a company, like negotiating cap tables or hiring international talent? We’ve got breakout sessions for that. Wondering how to go about fundraising, from getting your first yes to identifying the right investors to planning the timeline for your fundraise sprint? We’ve got breakout sessions for that. Growth marketing? PR/Media? Building a tech stack? Recruiting?

We. Got. You.

Hoffman + Guo

Today, we’re very proud to announce one of our few Main Stage sessions that will be open to all attendees. Reid Hoffman and Sarah Guo will join us for a conversation around “How To Raise Your Series A.”

Reid Hoffman is a legendary entrepreneur and investor in Silicon Valley. He was an Executive VP and founding board member at PayPal, before going on to co-found LinkedIn in 2003. He led the company to profitability as CEO before joining Greylock in 2009. He serves on the boards of Airbnb, Apollo Fusion, Aurora, Coda, Convoy, Entrepreneur First, Microsoft, Nauto, and Xapo, among others. He’s also an accomplished author, with books like Blitzscaling, The Startup of You, and The Alliance.

Sarah Guo has a wealth of experience in the tech world. She started her career in high school at a tech firm founded by her parents, called Casa Systems. She then joined Goldman Sachs, where she invested in growth-stage tech startups such as Zynga and Dropbox, and advised both pre-IPO companies (Workday) and publicly traded firms (Zynga, Netflix, and Nvidia). She joined Greylock Partners in 2013 and led the firm’s investment in Cleo, Demisto, Sqreen and Utmost. She has a particular focus on B2B applications as well as infrastructure, cybersecurity, collaboration tools, AI, and healthcare.

The format for Hoffman and Guo’s main stage chat will be familiar to folks who have followed the investors. It will be an updated, in-person combination of Hoffman’s famously annotated LinkedIn Series B pitchdeck that led to Greylock’s investment, and Sarah Guo’s in-depth breakdown of what she looks for in a pitch.

They’ll lay out a number of universally applicable lessons that folks seeking Series A funding can learn from, tackling each from their own unique perspectives. Hoffman has years of experience in consumer-focused companies, with a special expertise in network effects. Guo is one of the top minds when it comes to investment in enterprise software.

We’re absolutely thrilled about this conversation, and to be honest, the entire Early Stage agenda.

How it works

Here’s how it all works:

There will be about 50+ breakout sessions at the event, and attendees will have an opportunity to attend at least seven. The sessions will cover all the core topics confronting early-stage founders — up through Series A — as they build a company, from raising capital to building a team to growth. Each breakout session will be led by notables in the startup world.

Don’t worry about missing a breakout session, because transcripts from each will be available to show attendees. And most of the folks leading the breakout sessions have agreed to hang at the show for at least half the day and participate in CrunchMatch, TechCrunch’s app to connect founders and investors based on shared interests.

Here’s the fine print. Each of the 50+ breakout sessions is limited to around 100 attendees. We expect a lot more attendees, of course, so signups for each session are on a first-come, first-serve basis. Buy your ticket today and you can sign up for the breakouts that we’ve announced. Pass holders will also receive 24-hour advance notice before we announce the next batch. (And yes, you can “drop” a breakout session in favor of a new one, in the event there is a schedule conflict.)

Grab yourself a ticket and start registering for sessions right here. Interested sponsors can hit up the team here.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-02477ba73f2ce7104ba54bd838810d2a’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-02477ba73f2ce7104ba54bd838810d2a’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();