The Good, the Bad and the Ugly in Cybersecurity – Week 28

The Good

This week, a major Business Email Compromise scam targeting Office 365 accounts has been stopped in its tracks. BEC or Email Account Compromises were responsible for the largest share of losses from internet–related crime last year. The fraudsters were using the COVID-19 pandemic as a lure, driving phishing traffic through six internet domains and using malicious web apps to gain credentials to victims’ Office 365 accounts.

The use of web apps is novel. Rather than using a cloned, phoney login page, the criminals asked the victims’ to give consent for the web app to access their accounts. Once an account takeover had been accomplished, the attackers used it as part of a scam to convince business leaders to authorize wire transfers to the attackers.

The scam, said to have been operating in over 62 countries, involved the use of the following malicious domains, now seized by Microsoft:

officeinventorys.com
officesuitesoft.com
officehnoc.com
officesuited.com
officemtr.com
mailitdaemon.com

In other good news this week, the macOS security community took apart a combined ransomware/info stealer hiding in cracked software distributed via public torrents. Dubbed “EvilQuest” or “ThiefQuest”, the authors may have been hoping to copy the similar successful model seen in the Windows world of stealing data quietly in the background while noisily demanding a ransom for encrypted files in the foreground.

SentinelLabs broke the symmetric encryption used by the EvilQuest/ThiefQuest malware and released a public decryptor. It is also pleasing to see the Bitcoin address set up by the threat actors to collect funds hasn’t recorded a single transaction. The malware remains of concern for victims, however, as the separate data theft and backdoor components may have made off with sensitive data and could still be active if the device hasn’t been properly sanitized.

The Bad

A report out this week has found that cyber threats to operational technology systems through USB removal media devices have almost doubled in the last 12 months. Nearly half of all industrial locations surveyed in the report said they had detected at least one threat targeting their industrial process control networks. The report highlights the continuing prevalence of USB devices and their use as an attack vector, with 20% of the reported attacks said to be coming through removal storage devices. Among the objectives, the attackers were most interested in opening backdoors, establishing persistent remote access and delivering further malicious payloads.

The rise in USB-borne threats isn’t due to malware accidentally being transferred from one device to another, it was said, but rather a result of “deliberate and coordinated” attacks – like Disttrack, Duqu, Ekans, Industroyer and USBCulprit, among others – to leverage USB devices in targeting OT systems. The report serves as a timely reminder to all enterprise security teams of the importance of controlling removable media, including software-based USB devices.

The Ugly

At last count, there was something like 7.8bn people floating around on our small planet, but there are around double that amount of stolen account credentials circulating on hacker forums, with around 5 billion of those being unique, according to a new audit of the darknet. The massive cache of exposed data is a result of over 100,000 data breaches, which is a terrifying number of security failures to contemplate.

These credentials are for accounts ranging from social media, streaming, VPN and gaming sites to banking, financial services and even domain administrator accounts. Criminals looking to buy access to someone else’s online banking account, for example, may pay around $500 or less on the darknet; a domain admin account may be auctioned off to the highest bidder for anything from a few thousand dollars to over a $100,000, depending on the account.

Online credential theft and account takeovers are a booming industry, as cyber criminals engage in mass phishing campaigns with botnets, drop credential-stealing malware, and use techniques like credential stuffing and brute-forcing to steal passwords. As the report highlights, criminals are now collecting and selling access to digital fingerprint data such as cookies, IP addresss and timezones so that stolen credentials can be used without triggering a suspicious login alert from the service. Some darknet markets – Genesis Market, UnderWorld Market and Tenebris – were noted as places offering to rent out limited-time access to compromised accounts to other cybercriminals. These can be used for specific purposes such as laundering money, receiving emails or buying goods.

According to the researchers, the average person uses almost 200 online services that require passwords. With many users unaware of basic password security and many organizations failing to stop data breaches, it’s possible that today’s figure of 15 billion will seem like small change in a just few years time.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

What do investors bidding up tech shares know that the rest of us don’t?

The biggest story to come out of the post-March stock market boom has been explosive growth in the value of technology shares. Software companies in particular have seen their fortunes recover; since March lows, public software companies’ valuations have more than doubled, according to one basket of SaaS and cloud stocks compiled by a Silicon Valley venture capital firm.

Such gains are good news for startups of all sizes. For later-stage upstarts, software share appreciation helps provide a welcoming public market for exits. And, strong public valuations can help guide private dollars into related startups, keeping the capital flowing.


The Exchange explores startups, markets and money. You can read it every morning on Extra Crunch, and now you can receive it in your inbox. Sign up for The Exchange newsletter, which drops every Friday starting July 24.


For software-focused startup companies, especially those pursuing recurring revenue models like SaaS, it’s a surprisingly good time to be alive.

Indeed, after COVID-19 hit the United States, layoffs and rising software sales churn were key, worrying indicators coming out of startup-land. Since then, the data has turned around.

As TechCrunch reported in June, startup layoffs have declined and software churn has recovered to the point that business and enterprise-focused SaaS companies are on the bounce.

But instead of merely recovering to near pre-COVID levels, software stocks have continued to rise. Indeed, the Bessemer Cloud Index (EMCLOUD), which tracks SaaS firms, has set an array of all-time highs in recent weeks.

There’s some logic to the rally. After speaking to venture capitalists over the past few weeks, notes from EQT VenturesAlastair Mitchell, Sapphire’s Jai Das, and Shomik Ghosh from Boldstart Ventures paint the picture of a possibly accelerating digital transformation for some software companies, nudged forward by COVID-19 and its related impacts.

The result of the trend may be that the total addressable market (TAM) for software itself is larger than previously anticipated. Larger TAM could mean bigger future sales for and more substantial future cash flows for some software companies. This argument helps explain part of the market’s present-day enthusiasm for public tech equities, and especially the shares of software companies.

We won’t be able explain every point that Nasdaq has gained. But the TAM argument is worth understanding if we want to grok a good portion of the optimism that is helping drive tech valuations, both private and public.

Operator Collective brings diversity and inclusion to enterprise investing

When Mallun Yen started Operator Collective last year, she wanted to build an investment firm for people who didn’t have a voice in Silicon Valley. That meant connecting women and people of color with operators who have been intimately involved in building companies from the ground up, then providing early-stage investment.

She then brought in Leyla Seka as a partner. Seka helped build the AppExchange at Salesforce into a powerful marketplace for companies built on top of the Salesforce platform, or that plugged into the platform in some meaningful way to sell their offerings directly to Salesforce customers. Through that role, she met a lot of people in the startup world, and she saw a lot of inequities.

Yen, whose background includes eight years as a VP at Cisco, and co-founder of Saastr with Jason Lemkin, wanted to build a different kind of firm, one that connected these operators — women like herself and Seka, who had walked the walk of running substantial businesses — with people who didn’t typically get heard in the corridors of VC firms.

Those operators themselves tend to be underrepresented at investment shops. The firm today consists of 130 operator LPs, 90% of whom are women and 40% people of color (which includes Asians). One way that the company can do this is by removing rigid buy-in requirements. LPs can contribute as little as $10,000, all the way up to millions of dollars, depending on their means, and that makes for a much more diverse pool of LPs.

While Seka admits they are far from perfect, she says they are fighting the good fight. So far, the company has invested in 18 startups with a more diverse set of founders and executives than you find at most firms that invest in enterprise startups. That means that 67% of their investments include people of color (which breaks down to 44% Asian, 17% Latinx and 6% Black), 56% include a female founder, 56% have an immigrant founder and 33% have a female CEO.

I sat down with Yen and Seka to discuss their thinking about enterprise investing. While they have a far more inclusive philosophy than most, their general approach to enterprise investing isn’t all that different than what we’ve seen in previous surveys with enterprise investors.

Which trends are you most excited about in the enterprise from an investing perspective?

Rackspace preps IPO after going private in 2016 for $4.3B

After going private in 2016 after accepting a $32 per share, or $4.3 billion, price from Apollo Global Management, Rackspace is looking once again to the public markets. First going public in 2008, Rackspace is taking second aim at a public offering around 12 years after its initial debut.

The company describes its business as a “multicloud technology services” vendor, helping its customers “design, build and operate” cloud environments. That Rackspace is highlighting a services focus is useful context to understand its financial profile, as we’ll see in a moment.

But first, some basics. The company’s S-1 filing denotes a $100 million placeholder figure for how much the company may raise in its public offering. That figure will change, but does tell us that firm is likely to target a share sale that will net it closer to $100 million than $500 million, another popular placeholder figure.

Rackspace will list on the Nasdaq with the ticker symbol “RXT.” Goldman, Citi, J.P. Morgan, RBC Capital Markets and other banks are helping underwrite its (second) debut.

Financial performance

Similar to other companies that went private, only later to debut once again as a public company, Rackspace has oceans of debt.

The company’s balance sheet reported cash and equivalents of $125.2 million as of March 31, 2020. On the other side of the ledger, Rackspace has debts of $3.99 billion, made up of a $2.82 billion term loan facility, and $1.12 billion in senior notes that cost the firm an 8.625% coupon, among other debts. The term loan costs a lower 4% rate, and stems from the initial transaction to take Rackspace private ($2 billion), and another $800 million that was later taken on “in connection with the Datapipe Acquisition.”

The senior notes, originally worth a total of $1,200 million or $1.20 billion, also came from the acquisition of the company during its 2016 transaction; private equity’s ability to buy companies with borrowed money, later taking them public again and using those proceeds to limit the resulting debt profile while maintaining financial control is lucrative, if a bit cheeky.

Rackspace intends to use IPO proceeds to lower its debt-load, including both its term loan and senior notes. Precisely how much Rackspace can put against its debts will depend on its IPO pricing.

Those debts take a company that is comfortably profitable on an operating basis and make it deeply unprofitable on a net basis. Observe:

Image Credits: SEC

Looking at the far-right column, we can see a company with material revenues, though slim gross margins for a putatively tech company. It generated $21.5 million in Q1 2020 operating profit from its $652.7 million in revenue from the quarter. However, interest expenses of $72 million in the quarter helped lead Rackspace to a deep $48.2 million net loss.

Not all is lost, however, as Rackspace does have positive operating cash flow in the same three-month period. Still, the company’s multi-billion-dollar debt load is still steep, and burdensome.

Returning to our discussion of Rackspace’s business, recall that it said that it sells “multicloud technology services,” which tells us that its gross margins will be service-focused, which is to say that they won’t be software-level. And they are not. In Q1 2020 Rackspace had gross margins of 38.2%, down from 41.3% in the year-ago Q1. That trend is worrisome.

The company’s growth profile is also slightly uneven. From 2017 to 2018, Rackspace saw its revenue expand from $2.14 billion to $2.45 billion, growth of 14.4%. The company shrank slightly in 2019, falling from $2.45 billion in revenue in 2018 to $2.44 billion the next year. Given the economy that year, and the importance of cloud in 2019, the results are a little surprising.

Rackspace did grow in Q1 2020, however. The firm’s $652.7 million in first-quarter top-line easily bested in its Q1 2019 result of $606.9 million. The company grew 7.6% in Q1 2020. That’s not much, especially during a period in which its gross margins eroded, but the return-to-growth is likely welcome all the same.

TechCrunch did not see Q2 2020 results in its S-1 today while reading the document, so we presume that the firm will re-file shortly to include more recent financial results; it would be hard for the company to debut at an attractive price in the COVID-19 era without sharing Q2 figures, we reckon.

How to value Rackspace is a puzzle. The company is tech-ish, which means it will find some interest. But its slow growth rate, heavy debts and lackluster margins make it hard to pin a fair multiple onto. More when we have it.

WhatsApp Business, now with 50M MAUs, adds QR codes and catalog sharing

The global COVID-19 health pandemic has raised the stakes for businesses when it comes to using digital channels to connect with customers, and today WhatsApp unveiled its latest tools to help businesses use its platform to do just that.

The Facebook-owned messaging behemoth is expanding the reach and use of QR codes to let customers easily connect with businesses on the platform, providing them also with a series of stickers (pictured below) to kick off “we’re open for business” campaigns; and it’s made it possible for businesses to start sharing WhatsApp-based catalogs — dynamic lists of items that can in turn be ordered by users — as links outside of the WhatsApp platform itself.

The new launches come as WhatsApp’s business efforts pass some significant milestones.

WhatsApps’ profile as a formal platform for doing business is growing, albeit slowly. The WhatsApp Business app — used by merchants to interface with customers over WhatsApp and use the platform to market themselves — now has 50 million monthly active users, according to Facebook. Its two biggest markets for the service are India at over 15 million MAUs and Brazil at over 5 million MAUs, while catalogs specifically have had 40 million viewers.

On the other hand, WhatsApp has hit some stumbling blocks with features it’s tried to put into place to grow those numbers faster and boost usage among businesses.

Specifically, last month WhatsApp launched payments in Brazil, its first market, aimed not just at users sending each other money but merchants selling goods and services over the platform. But just nine days later, Brazilian regulators blocked the service over competition concerns, and it has yet to be restored pending further review. (India, which many had thought would be the first market for payments, is now part of a bigger global roadmap for rolling out payments.)

To put WhatsApp Business app’s usage numbers into some context, WhatsApp itself passed 2 billion users in February of this year. In that regard, hitting 50 million MAUs of the WhatsApp business app in the two years since it’s launched doesn’t sound like a whole lot (and in particular considering that it has competitors like Google offering payment services to merchants). Still, there has always been a lot of informal usage of the app, especially by smaller merchants, and that speaks to monetising potential if they can be lured into more of WhatsApps’ — and Facebook’s — products.

All the more reason that Facebook is expanding other features to make WhatsApp more useful for businesses, and especially smaller businesses — capitalising on a moment when many of them are turning to numerous digital channels (some for the first time ever) like social media, messaging services, websites and third-party delivery platforms to get their products and services out to the masses, in a period when visiting physical storefronts has been severely curtailed because of the health pandemic.

QR codes got a little boost last week from WhatsApp on the consumer side, with the company introducing a way for contacts to swap details for the first time by sharing codes rather than manually entering phone numbers — not unlike Snap Codes and shortcuts for adding contacts created on other social apps. That is now getting the business treatment.

Now, if you need to reach a business for customer support, to ask a question or order something, instead of manually entering a business phone number, you can scan a QR code from a receipt, a business display at the storefront, a product or even posted on the web, in order to connect with the company. Businesses that are using these can also set up welcome messages to start conversations once they’ve been added by a user. (They will have to use the WhatsApp Business app or the WhatsApp Business API to do this, of course.)

The catalog sharing feature, meanwhile, is an expansion on a feature that the company first launched in November 2019, which will now allow businesses to create and share links to their catalogs to post elsewhere. To be frank, the lack of ability to share catalogs at launch felt like a feature omission, considering that businesses often use multiple channels to market themselves, although it might have been an intentional move: there has long been questions about how tight links are between Facebook and WhatsApp, so slowly introducing features that share and cross-market from the start might be the preferred route for the company.

The idea now will be that those links can now be shared on Facebook, Instagram and other places.

Although all of these services, and WhatsApp Business, remain free to use, they continue to lay the groundwork for how Facebook might monetise the features in the future, not least through payments but also through stronger pushes to advertise on Facebook, now with more ways of linking a company’s WhatsApp profile to those ads.

LogDNA announces $25M Series C investment and new CEO

LogDNA, a startup that helps DevOps teams dig through their log data to find issues, announced a $25 million Series C investment today along with the promotion of industry vet Tucker Callaway to CEO.

Let’s start with the funding. Emergence Capital led the round with participation from previous investors Initialized Capital and Providence Equity. New investors TI Platform Management, Radianx Capital, Top Tier Capital and Trend Forward Capital also joined the round. Today’s investment brings the total raised to $60 million, according to the company.

Current CEO and co-founder Chris Nguyen says the company provides a centralized way to manage log data for DevOps teams with an eye toward troubleshooting issues and getting applications out faster.

New CEO Callaway, whose background includes executive stints at Chef and Sauce Labs, came on board in January as president and CRO with an eye toward moving him into the top spot when the time was right. Nguyen, who will move to the role of chief strategy officer, says everyone was on board with the move, and he was ready to step back into a more technical role.

“When we closed the latest round of funding and looked at what the journey forward looks like, there was just a lot of trust and confidence from my co-founder, the board of directors, all of the investors on the team that Tucker is the right leader,” Nguyen said.

As Callaway takes over in the midst of the pandemic, the company is in reasonably good shape, with 3,000 customers using the product and a strategic partnership with IBM to provide logging services for IBM Cloud. Having $25 million in additional capital certainly helps, but he sees a company that’s still growing and intends to keep hiring.

As he brings more people on board to lead the company of approximately 100 employees, he says that diversity and inclusion is something he is passionate about and takes very seriously. For starters, he plans to put the entire company through unconscious bias training. They have also hired someone to review their hiring practices to date and they are bringing in a consultant to help them design more diverse and inclusive hiring practices and hold them accountable to that.

The company was a member of the same Y Combinator winter 2015 cohort as GitLab. It actually started out building a marketing technology product, only to realize they had built a powerful logging tool on the back end. That logging tool became the basis for LogDNA .

Freshworks acquires IT orchestration service Flint

Customer engagement company Freshworks today announced that it has acquired Flint, an IT orchestration and cloud management platform based in India. The acquisition will help Freshworks strengthen its Freshservice IT support service by bringing a number of new automation tools to it. Maybe just as importantly, though, it will also bolster Freshworks’ ambitions around cloud management.

Freshworks CPO Prakash Ramamurthy, who joined the company last October, told me that while the company was already looking at expanding its IT services (ITSM) and operations management (ITOM) capabilities before the COVID-19 pandemic hit, having those capabilities has now become even more important, given that a lot of these teams are now working remotely.

“If you take ITSM, we allow for customers to create their own workflow for service catalog items and so on and so forth, but we found that there’s a lot of things which were repetitive tasks,” Ramamurthy said. “For example, I lost my password or new employee onboarding, where you need to auto-provision them in the same set of accounts. Flint had integrated with Freshservice to help automate and orchestrate some of these routine tasks and a lot of customers were using it and there’s a lot of interest in it.”

He noted that while the company was already seeing increased demand for these tools earlier in the year, the pandemic made that need even more obvious. And given that pressing need, Freshworks decided that it would be far easier to acquire an existing company than to build its own solution.

“Even in early January, we felt this was a space where we had to have a time-to-market advantage,” he said. “So acquiring and aggressively integrating it into our product lines seemed to be the most optimal thing to do than take our time to build it — and we are super fortunate that we placed the right bet because of what has happened since then.”

The acquisition helps Freshworks build out some of its existing services, but Ramamurthy also stressed that it will really help the company build out its operations management capabilities to go from alert management to also automatically solving common IT issues. “We feel there’s natural synergy and [Flint’s] orchestration solution and their connectors come in super handy because they have connectors to all the modern SaaS applications and the top five cloud providers and so on.”

But Flint’s technology will also help Freshworks build out its ability to help its users manage workloads across multiple clouds, an area where it is going to compete with a number of startups and incumbents. Since the company decided that it wants to play in this field, an acquisition also made a lot of sense given how long it would take to build out expertise in this area, too.

“Cloud management is a natural progression for our product line,” Ramamurthy noted. “As more and more customers have a multi-cloud strategy, we want to give them a single pane of glass for all the work workloads they’re running. And if they wanted to do cost optimization, if you want to build on top of that, we need the basic plumbing to be able to do discovery, which is kind of foundational for that.”

Freshworks will integrate Flint’s tools into Freshservice and likely offer it as part of its existing tiered pricing structure, with service orchestration likely being the first new capability it will offer.

Docker partners with AWS to improve container workflows

Docker and AWS today announced a new collaboration that introduces a deep integration between Docker’s Compose and Desktop developer tools and AWS’s Elastic Container Service (ECS) and ECS on AWS Fargate. Previously, the two companies note, the workflow to take Compose files and run them on ECS was often challenging for developers. Now, the two companies simplified this process to make switching between running containers locally and on ECS far easier.

docker/AWS architecture overview“With a large number of containers being built using Docker, we’re very excited to work with Docker to simplify the developer’s experience of building and deploying containerized applications to AWS,” said Deepak Singh, the VP for compute services at AWS. “Now customers can easily deploy their containerized applications from their local Docker environment straight to Amazon ECS. This accelerated path to modern application development and deployment allows customers to focus more effort on the unique value of their applications, and less time on figuring out how to deploy to the cloud.”

In a bit of a surprise move, Docker last year sold off its enterprise business to Mirantis to solely focus on cloud-native developer experiences.

“In November, we separated the enterprise business, which was very much focused on operations, CXOs and a direct sales model, and we sold that business to Mirantis,” Docker CEO Scott Johnston told TechCrunch’s Ron Miller earlier this year. “At that point, we decided to focus the remaining business back on developers, which was really Docker’s purpose back in 2013 and 2014.”

Today’s move is an example of this new focus, given that the workflow issues this partnership addresses had been around for quite a while already.

It’s worth noting that Docker also recently engaged in a strategic partnership with Microsoft to integrate the Docker developer experience with Azure’s Container Instances.

“EvilQuest” Rolls Ransomware, Spyware & Data Theft Into One

There has, unsurprisingly, been a great deal of interest in the news that a new macOS threat with ransomware capabilities is on the loose. First brought to the macOS community’s attention by malware researcher Dinesh Devadoss, this threat has been receiving intense scrutiny from security researchers, with some excellent work done by researchers Scott Knight, Patrick Wardle and our own SentinelLabs team. As it turns out, this threat is much more than just a novel piece of ransomware, is under active development, and is one of the more complex threats to be seen so far targeting the Mac platform. In this post, we’ll cover what is known to date and bring you up-to-speed on the latest iterations.

The Many Names of EvilQuest, ThiefQuest, and MacRansom.K

The threat was initially labelled “EvilQuest” by researchers at Malwarebytes, who then re-named it a few days later as “ThiefQuest”. Aside from the two names they suggested, many engines on VT also flag it as MacRansom.K.

This has led to some confusion, unfortunately, both about the threat and its capabilities.

While Mac.Ransom.K does conform to a recognized convention (platform/type/variant), it’s problematic because the threat is not only, and perhaps not even primarily, a ransomware threat. As malware authors on all platforms are increasingly reusing code to provide multiple features, classifying by threat type may not be all that helpful.

A good malware naming convention would ideally group malware samples by common characteristics. On that score, the most common characteristic in the samples seen so far is the __cstring literal “toidievitceffe”, which along with other strings like “rennur.c” (c.runner) is clearly the reverse of otherwise recognizable English language words:

echo 'toidievitceffe' | rev
effectiveidiot

Moreover, we see the developers clearly used “toidievitceffe” as the name of their Xcode project.

Other interesting reversed strings here include “naughtycuckoo”, “keylogger” and “filewatcher”, which as we will explain further below may give a better insight into the threat actor’s true motivation.

In some samples, the reversed “effectiveidiot” string occurs over 60 times, which might suggest the malware authors themselves were rather fond of the idea that security researchers would hit on this for a name. Here we use the excellent floss tool to extract strings as an alternative to the native strings utility:

Moreover, string obfuscation in recent samples shows that the developers deliberately planted the user name “drozdovsky” and the build name ‘toidievitceffe”, no doubt in an attempt to misdirect attribution.

While it could be argued that malware naming conventions aren’t vitally important, they are nevertheless helpful, particularly for researchers and others tracking evolving public discussion and research. Despite there being a strong argument for calling this new threat “OSX.EffectiveIdiot”, we suspect that this naming muddle is probably a bed that cannot be unmade. “EvilQuest/ThiefQuest” will likely stick simply because of its widespread initial use in the media, and who doesn’t like a thief or a good bit of evil in a headline anyway?

Broken Crypto: Ransomware Capabilities, Just for Show?

As the initial excitement around “EvilQuest/ThiefQuest” stemmed from it being a novel macOS ransomware threat, let’s look at that first. Ransomware has been pillaging the Windows world of late, but this is only the third known ‘in the wild’ ransomware targeting macOS. That in itself is odd, since Macs are now widely used in enterprise environments, particularly by C-Suite staff and by developers, both juicy targets for threat actors. Thus, appearance of what looks like a Mac ransomware is both novel and, in a sense, not unexpected.

However, as ransomware goes, “EvilQuest/ThiefQuest” fails pretty much on any measure of success. First and foremost, if you’re going to extort money by encrypting people’s files, you are going to want to make your encryption unbreakable. Crypto is hard, and about the one thing everyone who is smart enough to do it will tell you is this: don’t try and roll your own, because you will inevitably do it wrong. Successful ransomware operators are smart enough to follow that advice and will use established encryption algorithms, typically with at least some component being asymmetric; in other words, requiring access to a private key held only by the attacker.

Our “EffectiveIdiot” developers chose to forego that option, and opted for a symmetric key encryption, meaning the same key that encrypts a file is used to decrypt it. Even better, as our research lead at SentinelLabs Jason Reaves discovered:

“…the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key. Taking a look at a completely encrypted file shows that a block of data has been appended to it.”

This allowed Jason and the SentinelLabs team to create a public decryptor that can be used by anyone unfortunate enough to have been a victim of this malware. This video shows how to use it:

EvilQuest Ransomware Decryptor in Action

Aside from making the crypto reasonably bulletproof, a ransomware operator will want a good reward for their effort. Perhaps the first hint of something amiss with the “EvilQuest/ThiefQuest” malware was the ransom note itself.

Two things stand out: the incredibly low amount of ransom, and the fact that there is no email or other means of contact for the victim to communicate with the attacker. Again, using the model from the Windows world, ransomware operators have become very slick and efficient at pushing the right buttons to get people to pay. These include a mixture of threats and reassurance, and even levels of customer support. Not so here. The ransom note amounts to: ‘send us your money; we’ll be in touch”, only there’s no way for you to tell the threat actors that you paid; no request for your contact address; and no request for a sample encrypted file or any other identifying factor. The classic brush-off “Don’t call us, we’ll call you” springs to mind here.

Unsurprisingly, the threat actors have not been amassing a fortune. To date, the one known BitCoin address common to all the samples has had exactly zero transactions.

Finally, on the ransomware component, SentinelLabs also noted that the decryption routine, uncarve_target, has no callers in the code, suggesting either that the functionality is incomplete or that the authors decided that decryption wasn’t something they ever intended to offer (in which case, we could speculate that presence of the decryption routine in the code is an artifact of earlier testing).

Who Shares? A Data Thief in the Shared Folder

As details such as the above have emerged, attention has turned to the malware’s other capabilities, in particular the fact that it downloads and executes three Python scripts from the /Users/Shared folder. These scripts are intended to search for and exfiltrate files with particular extensions:

The scripts vary in name across samples, but initially the following short names were used:

/Users/Shared/.dr
/Users/Shared/.p
/Users/Shared/.gp

Moreover, there’s more to the malware’s data stealing capabilities locked inside the invisible Mach-O binaries deposited in the user’s Library folder.

Note the following encrypted strings:

We can use a tool developed by fellow macOS researcher Scott Knight to decrypt these, which reveals the following in plain text:

bytearray(b'*id_rsa*/ix00')
bytearray(b'*.pem/ix00')
bytearray(b'*.ppk/ix00')
bytearray(b'known_hosts/ix00')
bytearray(b'*.ca-bundle/ix00')

It would appear that the malware is seeking SSH keys and trusted certificates in order to facilitate the ability to log in remotely and manipulate web browsers to trust sites without throwing security warnings.

As other researchers have noted, there is also ample evidence of keylogging functionality through the existence of API calls targeting low-level hardware events like key presses. Note the first half of the function name, reversed, and with a possible typo for “file” as “klgr_flie”:

It’s also worth noting that unlike wiper malware and other aggressive ransomware variants on other platforms, the ransomware component doesn’t really interfere with the user’s ongoing use of the device. A simple osascript-generated alert dialog informs the user of the situation:

Pressing “OK” dismisses the dialog and allows the user to continue using the machine, which is indeed handy for the spyware components!

New Variant Calls Out macOS Researcher

A good deal of the early technical details were published by macOS researcher Patrick Wardle, and rather than repeat all the details here we refer you to his excellent posts here on the early “AppQuest” sample first spotted last week. Wardle suggests the malware has viral capabilities and there are also other suggestions that the malware attempts to infect existing executables in the User’s home folder, although that behaviour was not seen in our tests.

Since the earlier research, new variants have appeared with updated hardcoded strings and paths. In particular, there is a nod to Wardle’s research in the method “react_ping”, which contains the encrypted string “Hello Patrick”.

The recent version also updates the hardcoded C2 address from the earlier 167.71.237.219 to 159.65.147.28 and includes Wardle’s “Knock Knock” reporting tool in its list of software to check for:

Other new changes include using “abtpd” for the executable label. There are suggestions in the code that “.ab**d” may be a variant across different installs, but we have not confirmed that at the time of writing. Instead of using the folder name “AppQuest”, the persistence agent now points to an attacker-created folder named “PrivateSync”.

Similarly, in the early samples, an invisible, plain text file containing a 43-byte string was dropped at /var/root/ and /Users/User1/ with the name “.ncspot”. In the latest sample we tested, the spot file dropped in the same locations but now with the name “.aespot”.

Based on the rapid iteration so far, we would expect all these details to change within days, if not hours.

Protecting Against EvilQuest/ThiefQuest macOS Malware

The SentinelOne platform effectively protects your enterprise against EvilQuest/ThiefQuest.

How SentinelOne Protects Against the EvilQuest macOS Ransomware

For those not protected by SentinelOne, if you have fallen victim to this malware we recommend a complete restore from a known-good backup. Also, due to the keylogging and other spyware functions, it would be advisable to change any passwords and reset SSH and certificate trust credentials.

If you have files encrypted by EvilQuest, our public decryptor tool is available from here.

Conclusion

Call it “EffectiveIdiot”, “ThiefQuest” or “EvilQuest”, the appearance of this combination ransomware-data thief-spyware is a significant development. Not only did it catch a lot of security tools unaware, it may have also wrong-footed victims into continuing to use their infected machines and leak vital data while they sought a solution to the apparent problem of encrypted files. As ever, we urge macOS users to heed the warning that malware is no longer the sole preserve of Windows environments and to ensure they have adequate security.

Sample Hashes

06974e23a3bf303f75c754156f36f57b960f0df79a38407dfdef9a1c55bf8bff Mach-O
d18daea336889f5d7c8bd16a4d6358ddb315766fa21751db7d41f0839081aee2 Mach-O
c5a77de3f55cacc3dc412e2325637ca7a2c36b1f4d75324be8833465fd1383d3 Mach-O

Indicators of Compromise

/var/root/.aespot
~/.aespot
~/Library/LaunchAgents/com.apple.abtpd.plist
~/Library/PrivateSync/com.abtpd.questd
/Library/LaunchDaemons/com.apple.abtpd.plist
/Library/PrivateSync/com.abtpd.questd


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DocuSign acquires Liveoak Technologies for $38M for online notarization

Even in the best of times, finding a notary can be a challenge. In the middle of a pandemic, it’s even more difficult. DocuSign announced it has acquired Liveoak Technologies today for approximately $38 million, giving the company an online notarization option.

At the same time, DocuSign announced a new product called DocuSign Notary, which should ease the notary requirement by allowing it to happen online along with the eSignature. As we get deeper into the pandemic, companies like DocuSign that allow workflows to happen completely digitally are in more demand than ever. This new product will be available for early access later in the summer.

The deal made sense given that the two companies had a partnership already. Liveoak brings together live video, collaboration tooling and identity verification that enables parties to get notarized approval as though you were sitting at the desk in front of the notary.

Typically, you might get a document that requires your signature. Without electronic signature, you would need to print it, sign the document, scan it and return it. If it requires a notary, you would need to sign it in the notary’s presence, which requires an in-person visit. All of this can be streamlined with an online workflow, which DocuSign is providing with this acquisition.

It’s like the perfect pandemic acquisition, making a manual process digital and saving people from having to make face-to-face transactions at a time when it can be dangerous.

Liveoak Technologies was founded in 2014 and is part of the Austin, Texas startup scene. The company raised $13.5 million during its life as a private company, according to Crunchbase.

This acquisition is part of a growing pandemic acquisition trend of sorts, where larger public enterprise companies are plucking early-stage startups, in some cases for relatively bargain prices. Among the recent acquisitions are Apple buying Fleetsmith and ServiceNow acquiring Sweagle last month.