Report: ATM Skimmer Gang Had Protection from Mexican Attorney General’s Office

A group of Romanians operating an ATM company in Mexico and suspected of bribing technicians to install sophisticated Bluetooth-based skimmers in cash machines throughout several top Mexican tourist destinations have enjoyed legal protection from a top anti-corruption official in the Mexican attorney general’s office, according to a new complaint filed with the government’s internal affairs division.

As detailed this week by the Mexican daily Reforma, several Mexican federal, state and municipal officers filed a complaint saying the attorney general office responsible for combating corruption had initiated formal proceedings against them for investigating Romanians living in Mexico who are thought to be part of the ATM skimming operation.

Florian Tudor (right) and his business associates at a press conference earlier this year. Image: Reforma.

Reforma said the complaint centers on Camilo Constantino Rivera, who heads the unit in the Mexican Special Prosecutor’s office responsible for fighting corruption. It alleges Rivera has an inherent conflict of interest because his brother has served as a security escort and lawyer for Floridan Tudor, the reputed boss of a Romanian crime syndicate recently targeted by the FBI for running an ATM skimming and human trafficking network that operates throughout Mexico and the United States.

Tudor, a.k.a. “Rechinu” or “The Shark,” and his ATM company Intacash, were the subject of a three part investigation by KrebsOnSecurity published in September 2015. That series tracked the activities of a crime gang which was rumored to be bribing and otherwise coercing ATM technicians into installing Bluetooth-based skimming devices inside cash machines throughout popular tourist destinations in and around Mexico’s Yucatan Peninsula — including Cancun, Cozumel, Playa del Carmen and Tulum.

In 2018, 44-year-old Romanian national Sorinel Constantin Marcu was found shot dead in his car in Mexico. Marcu’s older brother told KrebsOnSecurity shortly after the murder that his brother was Tudor’s personal bodyguard but at some point had a falling out with Tudor and his associates over money. Marcu the elder said his brother was actually killed in front of a new apartment complex being built and paid for by Mr. Tudor, and that the dead man’s body was moved to make it look like he was slain in his car instead.

On March 31, 2019, police in Cancun, Mexico arrested 42-year-old Tudor and 37-year-old Adrian Nicholae Cosmin for the possession of an illegal firearm and cash totaling nearly 500,000 pesos (~USD $26,000) in both American and Mexican denominations. Two months later, a judge authorized the search of several of Tudor’s properties.

The Reforma report says Rivera’s office subsequently initiated proceedings against and removed several agents who investigated the crime ring, alleging those agents abused their authority and conducted illegal searches. The complaint against Rivera charges that the criminal protection racket also included the former chief of police in Cancun.

In September 2019, prosecutors with the Southern District of New York unsealed indictments and announced arrests against 18 people accused of running an ATM skimming and money laundering operation that netted $20 million. The defendants in that case — nearly all of whom are Romanians living in the United States and Mexico — included Florian Claudio Martin, described by Romanian newspapers as “the brother of Rechinu,” a.k.a. Tudor.

The news comes on the heels of a public relations campaign launched by Mr. Tudor, who recently denounced harassment from the news media and law enforcement by taking out a full two-page ad in Novedades, the oldest daily newspaper in the Mexican state of Quintana Roo (where Cancun is located). In a news conference with members of the local press, Tudor also reportedly accused this author of having been hired by his enemies to slander him and ruin his legitimate business.

A two-page ad taken out earlier this year in a local newspaper by Florian Tudor, accusing the head of the state police department of spying on businessmen in order to extort and harass them.

Obviously, there is no truth to Tudor’s accusations, and this would hardly be the first time the reputed head of a transnational crime syndicate has insinuated that I was paid by his enemies to disrupt his operations.

Next week, KrebsOnSecurity will publish highlights from an upcoming lengthy investigation into Tudor and his company by the Organized Crime and Corruption Reporting Project (OCCRP), a consortium of investigative journalists operating in Eastern Europe, Central Asia and Central America.

Here’s a small teaser: Earlier this year, I was interviewed on camera by reporters with the OCCRP, who at one point in the discussion handed me a transcript of some text messages shared by law enforcement officials that allegedly occurred between Tudor and his associates directly after the publication of my 2015 investigation into Intacash.

The text messages suggested my story had blown the cover off their entire operation, and that they intended to shut it all down after the series was picked up in the Mexican newspapers. One text exchange seems to indicate the group even briefly contemplated taking out a hit on this author in retribution.

The Mexican attorney general’s office could not be immediately reached for comment. The “contact us” email link on the office’s homepage leads to a blank email address, and a message sent to the one email address listed there as the main contact for the Mexican government portal (gobmx@funcionpublica.gob.mx) bounced back as an attempt to deliver to a non-existent domain name.

Further reading:

Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico

Tracking a Bluetooth Skimmer Gang in Mexico, Part II

Who’s Behind Bluetooth Skimming in Mexico?

Scandit raises $80M as COVID-19 drives demand for contactless deliveries

Enterprise barcode scanner company Scandit has closed an $80 million Series C round, led by Silicon Valley VC firm G2VP. Atomico, GV, Kreos, NGP Capital, Salesforce Ventures and Swisscom Ventures also participated in the round — which brings its total raised to date to $123M.

The Zurich-based firm offers a platform that combines computer vision and machine learning tech with barcode scanning, text recognition (OCR), object recognition and augmented reality which is designed for any camera-equipped smart device — from smartphones to drones, wearables (e.g. AR glasses for warehouse workers) and even robots.

Use-cases include mobile apps or websites for mobile shopping; self checkout; inventory management; proof of delivery; asset tracking and maintenance — including in healthcare where its tech can be used to power the scanning of patient IDs, samples, medication and supplies.

It bills its software as “unmatched” in terms of speed and accuracy, as well as the ability to scan in bad light; at any angle; and with damaged labels. Target industries include retail, healthcare, industrial/manufacturing, travel, transport & logistics and more.

The latest funding injection follows a $30M Series B round back in 2018. Since then Scandit says it’s tripled recurring revenues, more than doubling the number of blue-chip enterprise customers, and doubling the size of its global team.

Global customers for its tech include the likes of 7-Eleven, Alaska Airlines, Carrefour, DPD, FedEx, Instacart, Johns Hopkins Hospital, La Poste, Levi Strauss & Co, Mount Sinai Hospital and Toyota — with the company touting “tens of billions of scans” per year on 100+ million active devices at this stage of its business.

It says the new funding will go on further pressing on the gas to grow in new markets, including APAC and Latin America, as well as building out its footprint and ops in North America and Europe. Also on the slate: Funding more R&D to devise new ways for enterprises to transform their core business processes using computer vision and AR.

The need for social distancing during the coronavirus pandemic has also accelerated demand for mobile computer vision on personal smart devices, according to Scandit, which says customers are looking for ways to enable more contactless interactions.

Another demand spike it’s seeing is coming from the pandemic-related boom in ‘Click & Collect’ retail and “millions” of extra home deliveries — something its tech is well positioned to cater to because its scanning apps support BYOD (bring your own device), rather than requiring proprietary hardware.

“COVID-19 has shone a spotlight on the need for rapid digital transformation in these uncertain times, and the need to blend the physical and digital plays a crucial role,” said CEO Samuel Mueller in a statement. “Our new funding makes it possible for us to help even more enterprises to quickly adapt to the new demand for ‘contactless business’, and be better positioned to succeed, whatever the new normal is.”

Also commenting on the funding in a supporting statement, Ben Kortlang, general partner at G2VP, added: “Scandit’s platform puts an enterprise-grade scanning solution in the pocket of every employee and customer without requiring legacy hardware. This bridge between the physical and digital worlds will be increasingly critical as the world accelerates its shift to online purchasing and delivery, distributed supply chains and cashierless retail.”

Riding the State Unemployment Fraud ‘Wave’

When a reliable method of scamming money out of people, companies or governments becomes widely known, underground forums and chat networks tend to light up with activity as more fraudsters pile on to claim their share. And that’s exactly what appears to be going on right now as multiple U.S. states struggle to combat a tsunami of phony Pandemic Unemployment Assistance (PUA) claims. Meanwhile, a number of U.S. states are possibly making it easier for crooks by leaking their citizens’ personal data from the very websites the unemployment scammers are using to file bogus claims.

Last week, the U.S. Secret Service warned of “massive fraud” against state unemployment insurance programs, noting that false filings from a well-organized Nigerian crime ring could end up costing the states and federal government hundreds of millions of dollars in losses.

Since then, various online crime forums and Telegram chat channels focused on financial fraud have been littered with posts from people selling tutorials on how to siphon unemployment insurance funds from different states.

Denizens of a Telegram chat channel newly rededicated to stealing state unemployment funds discussing cashout methods.

Yes, for roughly $50 worth of bitcoin, you too can quickly jump on the unemployment fraud “wave” and learn how to swindle unemployment insurance money from different states. The channel pictured above and others just like it are selling different “methods” for defrauding the states, complete with instructions on how best to avoid getting your phony request flagged as suspicious.

Although, at the rate people in these channels are “flexing” — bragging about their fraudulent earnings with screenshots of recent multiple unemployment insurance payment deposits being made daily — it appears some states aren’t doing a whole lot of fraud-flagging.

A still shot from a video a fraudster posted to a Telegram channel overrun with people engaged in unemployment insurance fraud shows multiple $800+ payments in one day from Massachusetts’ Department of Unemployment Assistance (DUA).

A federal fraud investigator who’s helping to trace the source of these crimes and who spoke with KrebsOnSecurity on condition of anonymity said many states have few controls in place to spot patterns in fraudulent filings, such as multiple payments going to the same bank accounts, or filings made for different people from the same Internet address.

In too many cases, he said, the deposits are going into accounts where the beneficiary name does not match the name on the bank account. Worse still, the source said, many states have dramatically pared back the amount of information required to successfully request an unemployment filing.

“The ones we’re seeing worst hit are the states that aren’t aren’t asking where you worked,” the investigator said. “It used to be they’d have a whole list of questions about your previous employer, and you had to show you were trying to find work. But now because of the pandemic, there’s no such requirement. They’ve eliminated any controls they had at all, and now they’re just shoveling money out the door based on Social Security number, name, and a few other details that aren’t hard to find.”

CANARY IN THE GOLDMINE

Earlier this week, email security firm Agari detailed a fraud operation tied to a seasoned Nigerian cybercrime group it dubbed “Scattered Canary,” which has been busy of late bilking states and the federal government out of economic stimulus and unemployment payments. Agari said this group has been filing hundreds of successful claims, all effectively using the same email address.

“Scattered Canary uses Gmail ‘dot accounts’ to mass-create accounts on each target website,” Agari’s Patrick Peterson wrote. “Because Google ignores periods when interpreting Gmail addresses, Scattered Canary has been able to create dozens of accounts on state unemployment websites and the IRS website dedicated to processing CARES Act payments for non-tax filers (freefilefillableforms.com).”

Image: Agari.

Indeed, the very day the IRS unveiled its site for distributing CARES Act payments last month, KrebsOnSecurity warned that it was very likely to be abused by fraudsters to intercept stimulus payments from U.S. citizens, mainly because the only information required to submit a claim was name, date of birth, address and Social Security number.

Agari notes that since April 29, Scattered Canary has filed at least 174 fraudulent claims for unemployment with the state of Washington.

“Based on communications sent to Scattered Canary, these claims were eligible to receive up to $790 a week for a total of $20,540 over a maximum of 26 weeks,” Peterson wrote. “Additionally, the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31. This adds up to a maximum potential loss as a result of these fraudulent claims of $4.7 million.”

STATE WEB SITE WOES

A number of states have suffered security issues with the PUA websites that exposed personal details of citizens filing unemployment insurance claims. Perhaps the most galling example comes from Arkansas, whose site exposed the SSNs, bank account and routing numbers for some 30,000 applicants.

In that instance, The Arkansas Times alerted the state after hearing from a computer programmer who was filing for unemployment on the site and found he could see other applicants’ data simply by changing the site’s URL slightly. State officials reportedly ignored the programmer’s repeated attempts to get them to fix the issue, and when it was covered by the newspaper the state governor accused the person who found it of breaking the law.

Over the past week, several other states have discovered similar issues with their PUA application sites, including Colorado, Illinois, and Ohio.

The Good, the Bad and the Ugly in Cybersecurity – Week 21

The Good

Let’s clap for Romania’s cyber cops this week as they arrested a gang of criminals for targeting hospitals with notorious Locky ransomware, among a number of other misdemeanours. The Directorate for Investigating Organized Crime and Terrorism (DIICOT) raided houses in Romania and Moldova, arresting four people allegedly involved in the crimes and calling themsleves “Pentaguard”.

Aside from putting lives in danger by targeting healthcare services, the “Pentaguard” gang were also suspected of compromising and defacing websites belonging to public and government bodies as well as financial services and education providers.

The Bad

“This is why we can’t have nice things” is one of those memes that seems to be everywhere these days, and is particularly apt to the news that advanced hacking group Winnti are targeting their sophisticated malware at…games developers. At first blush, that might seem an odd target group for malware that takes considerable skill and effort to create and comes with the risk of being ‘burned’ (i.e., known to security solutions) shortly after use. Typically, such resources are only expended on highly valuable, corporate or organizational targets where the threat actors know the prize will far outweigh ‘the cost of doing business’ and deliver guaranteed ROI.

However, Winnti has something of a track record in this regard, and this week’s reports suggest that the malware, which persists by leveraging Windows printer drivers that run on every boot, may be used not only as part of a supply-chain attack but also to profit by manipulating in-game currencies. As one forum commenter astutely noted, massive multiplayer online games platforms have an install base of hundreds of millions of users, run software at highly privileged levels and deploy forced or automatic updates that users rarely if ever scrutinize. From a malware author’s or botnet builder‘s point of view, what’s not to like?

The new Winnti malware uses a novel backdoor, dubbed PipeMon on account of the numerous pipes it uses to communicate between modules. PipeMon itself was seen to be installed with a legitimate Windows signing certficate stolen from Nfinity Games in a hack dating back to 2018. Despite the long interval since then, the stolen code-signing certificate had still not been revoked.

The Ugly

It’s time for this week’s Ugly breach news, starting with UK aviator, EasyJet. Britain’s largest airline has leaked something in the region of 9 million customer email addresses along with their travel data, it was revealed this week. Among the leaks, an estimated 2,208 customers also had their credit card details exposed, so this is likely a lucrative payday for the cyber criminals. EasyJet say they have complied with local breach notice regulations and all customers who have been affected will receive notice by May 26th. In light of the breach, EasyJet customers should be extra vigilant for phishing emails and pay close attention to credit card statements for signs of fraudulent transactions.

Credit: Getty

Meal-kit delivery specialists Home Chef were the latest to confirm a data breach this week that was first announced by previously unheard of darknet data broker ShinyHunters. The group have been teasing a number of large data breaches throughout May on various criminal forums, but some of their early leaks proved to be of little value. The claim to have 500GB of Microsoft source code, for example, was met with skepticism when the 1GB sample they publicly dropped turned out to be little more than material that had been scheduled for publication.

However, Home Chef and a string of other well-known sites have started offering confirmations to back up some of the ShinyHunters’ other claims. Researchers suspect that ShinyHunters’ sudden appearance as a “big league” player in the murky world of criminal data trading is evidence of an experienced operator trying on a new identity. Regardless, such breaches will undoubtedly serve to pile on the worry for affected customers while causing unfortunate reputational damage to the breached organizations.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

IBM confirms layoffs are happening, but won’t provide details

IBM confirmed reports from overnight that it is conducting layoffs, but wouldn’t provide details related to location, departments or number of employees involved. The company framed it in terms of replacing people with more needed skills as it tries to regroup under new CEO Arvind Krishna.

IBM’s work in a highly competitive marketplace requires flexibility to constantly remix to high-value skills, and our workforce decisions are made in the long-term interests of our business,” an IBM spokesperson told TechCrunch.

Patrick Moorhead, principal analyst at Moor Insights & Strategy, says he’s hearing the layoffs are hitting across the business. “I’m hearing it’s a balancing act between business units. IBM is moving as many resources as it can to the cloud. Essentially, you lay off some of the people without the skills you need and who can’t be re-educated and you bring in people with certain skill sets. So not a net reduction in headcount,” Moorhead said.

It’s worth noting that IBM used a similar argument back in 2015 when it reportedly had layoffs. While there is no official number, Bloomberg is reporting that today’s number is in the thousands.

Holger Mueller, an analyst at Constellation Research, says that IBM is in a tough spot. “The bets of the past have not paid off. IBM Cloud as IaaS is gone, Watson did not deliver and Blockchain is too slow to keep thousands of consultants occupied,” he said.

Mueller adds that the company could also be feeling the impact of having workers at home instead of in the field. “Enterprises do not know and have not learnt how to do large software projects remotely. […] And for now enterprises are slowing down on projects as they are busy with reopening plans,” he said.

The news comes against the backdrop of companies large and small laying off large numbers of employees as the pandemic takes its toll on the workforce. IBM was probably due for a workforce reduction, regardless of the current macro situation, as Krishna tries to right the financial ship.

The company has struggled in recent years, and with the acquisition of Red Hat for $34 billion in 2018, it is hoping to find its way as a more open hybrid cloud option. It apparently wants to focus on skills that can help them get there.

The company indicated that it would continue to subsidize medical expenses for laid off employees through June 2021, so there is that.

6 CISOs share their game plans for a post-pandemic world

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

12 VCs share their thoughts on enterprise startup trends and opportunities

Compared to other tech firms, enterprise companies have held up well during the pandemic.

If anything, the problems enterprises were facing prior to the economic downturn have become even more pronounced; if you were thinking about moving to the cloud or just dabbling in it, you’re probably accelerating that motion. If you were trying to move off of legacy systems, that has become even more imperative. And if you were attempting to modernize processes and workflows, whether engineer- and developer-related, or across other parts of the organization, chances are good that you are giving that a much closer look.

We won’t be locked down forever and employees will eventually return to offices, but it’s likely that many companies will take the lessons they learned during this era and put them to work inside their organizations. Startups are uniquely positioned to help companies solve these new modern kinds of problems, much more so than a legacy vendor (which could be itself trying to update its approach).

Venture capitalists certainly understand all of these dynamics and are always dutifully searching for startups that could help companies shift to a digital future more quickly.

We spoke to 12 of them to take their pulse and learn more about the trends that are exciting them, what they look for in an investment opportunity and which parts of the enterprise are ripe for startups to impact:

  • Max Gazor, CRV
  • Navin Chadda, Mayfield
  • Matt Murphy, Menlo Venture Capital
  • Soma Somasagar, Madrona Ventures
  • Jon Lehr, Work-Bench
  • Steve Herrod, General Catalyst
  • Jai Das, Sapphire Ventures
  • Max Gazor,  CRV
  • Ed Sim, Boldstart Ventures
  • Martin Cassado, Andreessen Horowitz
  • Vassant Natarajan, Accel
  • Dharmesh Thakker, Battery Ventures

Max Gazor, CRV

What trends are you most excited about in the enterprise from an investing perspective?

It’s abundantly clear that cloud software markets are bigger than most people anticipated. We continue to invest heavily there as we have been doing for the last decade.

Specifically, the most exciting trend right now in enterprise is low-code software development. I’m on the board of Airtable, where I led the Series A and co-led the Series B investments, so I see first hand how this will play out. We are heading toward a future where hundreds of millions of people will be empowered to compose software that fits their own needs. Imagine the productivity and transformation that will unlock in the world! It may be one of the largest market opportunities we have seen since cloud computing.

Extra Crunch Live: Join Box CEO Aaron Levie May 28th at noon PT/3 pm ET/7 pm GMT

We’ve been on a roll with our Extra Crunch Live Series for Extra Crunch members, where we’re talking to some of the biggest names in Silicon Valley about business, investment and the startup community. Recent interviews include Kirsten Green from Forerunner Ventures, Charles Hudson from Precursor Ventures and investor Mark Cuban.

Next week, we’re pleased to welcome Box CEO Aaron Levie. He is a well-known advocate of digital transformation, often a years-long process that many companies have compressed into a few months because of the pandemic, as he has pointed out lately.

As the head of an enterprise SaaS company that started out to help users manage information online, he has a unique perspective on what’s happening in this period as companies move employees home and implement cloud services to ease the transition.

Levie started his company 15 years ago while still an undergrad in the proverbial dorm room and has matured from those early days into a public company executive, guiding his employees, customers and investors through the current crisis. This is not the first economic downturn he has faced as CEO at Box; when it was still an early-stage startup, he saw it through the 2008 financial crisis. Presumably, he’s taking the lessons he learned then and applying them now to a much more mature organization.

Please join TechCrunch writers Ron Miller and Jon Shieber as we chat with Levie about how he’s handling the COVID-19 crisis, moving employees offsite and what advice he has for companies that are accelerating their digital transformation. After he’s shared his wisdom for startups seeking survival strategies, we’ll discuss what life might look like for Box and other companies in a post-pandemic environment.

During the call, audience members are encouraged to ask questions. We’ll get to as many as we can, but you can only participate if you’re an Extra Crunch member, so please subscribe here.

Extra Crunch subscribers can find the Zoom link below (with YouTube to follow) as well as a calendar invite so you won’t miss this conversation.

Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks

The Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the VirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit. Although in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration from air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is often the case with specialized malware, there is also a real danger of it “leaking” or being repurposed to targets that were not in the original threat actors’ sights.

Ramsay Distribution and Persistence

The original version of Ramsay was distributed via maliciously-crafted Office documents. These documents were distributed via email and were designed to exploit CVE-2017-0199 to facilitate the installation of the malware. CVE-2017-0199 is a remote code execution flaw in Microsoft Word. Specifically, it allows attackers to retrieve and launch code, including VBS & PowerShell, upon launching of a specially-crafted RTF document. Several versions of these malicious Word documents were discovered on VirusTotal with names such as “access_test.docx” and “Test.docx”, indicating that the threat actors may have been evaluating   how well their malware fared against vendors’ static engines.

Later versions of Ramsay (v2.a/2.b) were distributed as trojanized installers for well-known applications such as 7zip. These later versions also included an aggressive spreading mechanism which locates local and network adjacent PE files and infects them to allow for further spreading in targeted environments.  

Version 2.b was also seen to be exploiting CVE-2017-11882. This vulnerability allows attackers to achieve arbitrary code execution as the current user in a MS Office 2016 and several earlier Office Service Pack versions. Both CVE-2017-0199 and CVE-20170-11882 are used for exploitation of client execution (MITRE T1203) purposes.

Along with the spreading capabilities, Ramsay includes multiple techniques for maintaining persistence. These include:

  • AppInitDLL Registry Key Entries
  • Scheduled Tasks
  • DLL Hijacking

While early versions used well-known persistence techniques such as loading custom DLLs into other application processes’ address space and task scheduling, later versions leverage DLL Hijacking, specifically targeting msfte.dll and oci.dll dependencies of the Microsoft Search Service and the Microsoft Distributed Transaction Coordinator service, respectively.

Ramsay Observed Behavior

Ramsay’s main goal is data collection and exfiltration. Immediately upon infection, the trojan will begin to locate specific document types, particularly MS Word and PDF format files, and store them in a customized location. The items are also archived and encrypted via RC4, and subsequently compressed with an instance of WinRar installed by the trojan. It should be noted that Ramsay will attempt to collect documents from both local and remote locations where possible. Ramsay also has some built-in “intelligence” to avoid the collection of duplicate/redundant files.

The analysis is ongoing with respect to the data exfiltration mechanism. Current intelligence indicates that an additional component will locate the collected “containers” of documents from infected hosts, identified by special file makers, When the containers are located, AND a Ramsay control file is located on the affected network, data exfiltration can occur via this additional component. Ramsay uses intra-network control files to operate, as opposed to a central command-and-control infrastructure.

Spreading is handled via an additional component, dropped by the main installer. This component will scan and locate accessible drives/locations (excluding A: and B: reserved devices).

Given some level of code reuse, there may be correlation between Ramsay and the Retro Backdoor associated with Darkhotel. As with the data exfiltration piece, analysis of this relationship is ongoing.

Does SentinelOne Protect Against Ramsay Malware?

Yes, it does. Organizations secured by the SentinelOne platform are fully protected against the threat from Ramsay malware, as demonstrated in this video.

Even when the network is disconnected such as with an air-gapped device, the SentinelOne agent will detect the malware locally on-device.

image of SentinelOne protecting device with no network connection

Conclusion

The Ramsay framework is a novel malware toolkit that appears to be under active development by a sophisticated threat actor. While current telemetry suggests this is a highly-targeted attack focused on specific environments, history suggests that a malware toolkit of this nature could soon ‘spread its wings’ and represent a threat to a much wider audience. Moreover, the discovery of this new toolkit targetting air-gapped machines highlights the importance of having a behavioral, AI-driven security solution that can actively detect and respond to threats on the local device without solely relying on cloud-connectivity, human analysts or static reputation engines.

If you are not already protected by SentinelOne and would like to learn more about how our industry-leading platform can help defend your organization against Ramsay malware and all other threats, contact us or request a free demo today.

Sample Hashes for Ramsay Malware

SHA1: f79da0d8bb1267f9906fad1111bd929a41b18c03
SHA256: e60c79a783d44f065df7fd238949c7ee86bdb11c82ed929e72fc470e4c7dae97

SHA1: 3849e01bff610d155a3153c897bb662f5527c04c
SHA256: 22b2de8ec5162b23726e63ef9170d34f4f04190a16899d1e52f8782b27e62f24

SHA1: bd97b31998e9d673661ea5697fe436efe026cba1
SHA256: aceb4704e5ab471130e08f7a9493ae63d3963074e7586792e6125deb51e40976

SHA1: e7987627200d542bb30d6f2386997f668b8a928c
SHA256: 610f62dd352f88a77a9af56df7105e62e7f712fc315542fcac3678eb9bbcfcc6

SHA1: ae722a90098d1c95829480e056ef8fd4a98eedd7
SHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f

SHA1: 19bf019fc0bf44828378f008332430a080871274
SHA256: 823e21ffecc10c57a31f63d55d0b93d4b6db150a087a92b8d0e1cb5a38fb3a5f

SHA1: 5c482bb8623329d4764492ff78b4fbc673b2ef23
SHA256: cc7ac31689a392a2396f4f67d3621e65378604b16a2420ffc0af1e4b969c6689

SHA1: bd8d0143ec75ef4c369f341c2786facbd9f73256
SHA256: dede24bf27fc34403c03661938f21d2a14bc50f11297d415f6e86f297c3c3504

SHA1: 5a5738e2ec8af9f5400952be923e55a5780a8c55
SHA256: 6f9cae7f18f0ee84e7b21995a597b834a7133277637b696ba5b8eea1d4ad7af1


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Identity management startup Truework raises $30M to help you verify your work history

As organizations look for safe and efficient ways of running their services in the new global paradigm of increased social distancing, a startup that has built a platform to help people verify their work details in a secure way is announcing a round of growth funding.

Truework, which provides a way for banks, apartment-rental agencies, and others to check the employment details of an applicant in a quick and secure manner online, has raised $30 million, money that CEO and co-founder Ryan Sandler said in an interview that it would use both grow its existing business, as well to explore adding more details — both via its own service and via third-party partnerships — to the identity information that it shares.

The Series B is being led by Activant Capital — a VC that focuses on B2B2C startups — with participation also from Sequoia Capital and Khosla Ventures, as well as a number of high profile execs and entrepreneurs — Jeff Weiner (LinkedIn); Tom Gonser (Docusign); William Hockey (Plaid); and Daniel Yanisse (Checkr) among them.

The LinkedIn connection is an interesting one. Both Sandler and co-founder Victor Kabdebon were engineers at LinkedIn working on profile and improving the kind of data that LinkedIn sources on its users (the third co-founder, Ethan Winchell, previously worked elsewhere), and while Sandler tells me that the idea for Truework came to them after both left the company, he sees LinkedIn “as a potential partner here,” so watch this space.

The problem that Truework is aiming to solve is the very clunky, and often insecure, nature of how organizations typically verify an individual’s employment information. Details about salary and where you work, and the job you do, are typically essential for larger financial transactions, whether it’s securing a mortgage or another financing loan, or renting an apartment, or for others who might need to verify that information for other purposes, such as staffing agencies.

Typically that kind of information gathering is time-consuming both to reach out to get and to confirm (Sandler cites statistics that say on average an HR person spends over 1,000 hours annually answering questions like these). And some of the systems that have been put in place to do that work — specifically consumer reporting agencies — have been proven not be as watertight in their security as you would hope.

“Your data is flowing around lots of third party platforms,” Sandler said. “You’re releasing a lot of information about yourself and you don’t know where the data is going and if it’s even accurate.”

Truework’s solution is based around a platform, and now an API, that a company buys into. In turn, it gives its employees the ability to consent to using it. If the employee agrees, Truework sources a worker’s place of employment and salary details. Then when a third party wants to verify that information for the person in question, it uses Truework to do so, rather than contacting the company directly.

Then, when those queries come in, Truework contacts the individual with an email or text about the inquiry, so that he/she can okay (or reject) the request. Truework’s Sandler said that it uses ISO27001, SOC2 Type 1 & 2 protections, but he also confirmed that it does store your data.

Currently the idea is that if you leave your job, your next employer would need to also be a Truework customer in order to update the information it has on you: the startup makes money by charging both larger enterprises to make the platform accessible to employees as well as those organizations that are querying for the information/verifications (small business employers using the platform can use it for free).

Over time, the plan will be to configure a way to update your profiles regardless of where you work.

So far, the concept has seen a lot of traction: there are 20,000 small businesses using the platform, as well as 100 enterprises, with the number of verifiers (its term for those requesting information) now at 40,000. Customers include The College Board, The Real Real, Oscar Health, The Motley Fool, and Tuft & Needle.

While all of this was built at a time before COVID-19, the global health pandemic has highlighted the importance of having more efficient and secure systems for doing work, especially at a time when many people are not in the office.

“Our biggest competitor is the fax machine and the phone call,” Sandler said, “but as companies move to more remote working, no one is manning the phones or fax machines. But these operations still need to happen.” Indeed, he points out that at the end of 2019, Truework had 25,000 verifiers. Nearly doubling its end-user customers speaks to the huge boost in business it has seen in the last five months.

That is part of the reason the company has attracted the investment it has.

“Truework’s platform sits at the center of consumers’ most important transactions and life events – from purchasing a home, to securing a new job,” said Steve Sarracino, founder and partner at Activant Capital, in a statement. “Up until now, the identity verification process has been painful, expensive, and opaque for all parties involved, something we’ve seen first-hand in the mortgage space. Starting with income and employment, Truework is setting the standard for consent-based verifications and unlocking the next wave of the digital economy. We’re thrilled to be partnering with this exceptional team as they continue to scale the platform.” Sarracino is joining the board with this round.

While a big focus in the world of tech right now may be on building more and better ways of connecting goods and services to people in as contact-free a way as possible, the bigger play around identity management has been around for years, and will continue to be a huge part of how the internet develops in the future.

The fax and phone may be the primary tools these days for verifying employment information, but on a more general level, there are companies like Facebook, Google and Apple already playing a big role in how we “log in” and use all kinds of services online. They, along with others focused squarely on the identity and verification space (and Truework works with some of them), and using a myriad of approaches that include biometrics, ‘wallet’-style passports that link to information elsewhere, and more, will all continue to try to make the case for why they might be the most trusted provider of that layer of information, at a time when we may want to share less and especially share less with multiple parties.

That is the bigger opportunity that investors are betting on here.

“The increasing momentum Truework has seen since its founding in 2017 demonstrates the critical need for transformation in this space,” said Alfred Lin, partner at Sequoia, in a statement. “Privacy, especially around identity data, is becoming increasingly top of mind for consumers and how they make transactions online.”

Truework has now raised close to $45 million, and it’s not disclosing its valuation.