Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger

Threat actors have come to recognize the reality that today’s organizations operate fleets of devices encompassing all the major OS vendors – Apple, Microsoft, Google and many flavors of Linux – and are adapting accordingly. Threats that can be compiled on one platform but produce executables targeting many are a productivity boon to criminals, who now operate in an increasingly competitive environment trying to sell their wares.

The latest such threat to come to attention is XLoader, a Malware-as-a-Service info stealer and keylogger that researchers say was developed out of the ashes of FormBook. Unlike its Windows-only predecessor, XLoader targets both Windows and macOS. In this post, we take an initial look at the macOS version of XLoader, describe its behavior and show how XLoader can be detected on Apple’s Mac platform.

XLoader for Mac – Java Runtime For the Steal

The macOS sample we analyzed comes as both a standalone binary and as a compiled .jar file. The .jar file appears to be distributed as an attachment in a phishing lure, such as in this document Statement SKBMT 09818.jar.

XLoader is likely distributed by mail spam

Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago.

Nonetheless, Java is still a common requirement in enterprise environments and is still in use for some banking applications. As a result, many organizations will have users that either do or must install the Oracle version of Java to meet these needs. As a 3rd party plugin, the Oracle JRE is installed at /Library/Internet Plug-Ins/JavaAppletPlugin.plugin.

When the malware is executed as a .jar file, the execution chain begins with the OS-provided JavaLauncher at /System/Library/CoreServices/JavaLauncher.app.

XLoader’s execution chain begins with the JavaLauncher

The JavaLauncher is also populated in the Accessibility pane in System Preferences’ Privacy tab and a dialog is popped requesting the user to grant access for automation. As we shall see below, this is likely leveraged as part of the info stealer’s functionality.

The JavaLauncher requests access to control other applications

The com.oracle.JavaInstaller will also populate the ‘Full Disk Access’ table in the same tab. This remains unchecked by default and, at least on our test, no dialog was presented to the user to request permissions.

XLoader Behavior on macOS

On execution the malware drops a 32×32 pixel Windows image file in the user’s home directory called NVFFY.ico.

A Windows icon file is dropped in the user’s home folder

The user’s default image viewer – typically the built-in Preview.app – will be launched to display this image. At this point, one could imagine that even the most unsuspecting user opening the ‘Statement SKBT’ file is going to think that something is amiss.

The .ico file as presented to the victim

It’s unclear what the malware authors were thinking here: perhaps the sample is an early development or a test sample. Alternatively, this may be a reflection of the hazards of cross-platform malware, where the author’s assumptions on the Windows platform were not fully tested on a macOS device.

In any case, no interaction is required from the user and the malware continues to drop and execute the rest of its components. This involves dropping and executing a Mach-O file in the user’s Home folder. This file, kIbwf02l, writes a hidden application bundle, also located in the victim’s Home folder, and containing a copy of itself. It then writes and loads a user LaunchAgent with a program argument pointing to the copy in the hidden app bundle. From then on, the kIbwF02l file appears to be redundant but is not cleaned up by the malware.

Example of an XLoader LaunchAgent

The label for the LaunchAgent and the names of the hidden app and executable are all randomized and vary from execution to execution. The binary is passed the argument start as a launch parameter.

The hidden application is itself a barebones bundle containing only the Info.plist and the Mach-O executable.

XLoader’s hidden application bundle

A copy of the same executable, sans bundle and with the filename kIbwf02l, is also dropped in the User’s home directory.

Analysis of the XLoader Mach-O

The compiled Mach-O executable pointed to by the persistence agent is heavily stripped and obfuscated. As the image below indicates, static analysis using tools like strings will show little, and dynamic analysis is complicated by a number of anti-debugging features.

Left: the hidden app’s Info.plist. Right: strings and symbols in the executables

For the purposes of quick triage, we extracted the stackstrings from the Mach-O using otool to get an initial idea of the info stealer’s functionality. With further processing either manually or with radare2, we can match these strings to particular functions.

Stack strings found in XLoader’s macOS version

The strings here show that XLoader attempts to steal credentials from Chrome and Firefox browsers. We also see an indication that the malware calls the NSWorkspace API to identify the front window via the Accessibility API AXTitleFocusedWindow and leverages NSPasteboard, likely to copy information from the window of the user’s currently active process. Calling Accessibility APIs requires user consent as this functionality is controlled by TCC. As noted above, the JavaLauncher has such permissions.

Other researchers have suggested that XLoader’s internet traffic is laden with decoys to disguise the actual C2 used to transmit data. As we did not observe any credential stealing traffic in our test, we cannot confirm that suspicion, but XLoader’s internet traffic is certainly ‘noisy’. We observed the malware reaching out to a variety of known phishing and malware sites.

Some of the IP addresses contacted by the XLoader malware

One of a number of malicious domains XLoader contacts (VirusTotal)

Detecting XLoader Infostealer on macOS

At the end of this post we provide a number of macOS-specific Indicators of Compromise to help organizations and users in general identify an XLoader infection. SentinelOne customers are protected against this malware automatically, regardless of whether it is executed via the Java Runtime Environment or by the standalone XLoader Mach-O.

In our test, we set the agent to ‘Detect-only’ policy in order to observe the malware’s behaviour. Customers are advised to always use the ‘Protect’ policy which prevents execution of malware entirely.

In ‘Detect-only’ mode, the target’s Mac device will immediately alert the user via Notifications:

Security teams and IT administrators, meanwhile, would see something similar to the following in the Management console.

After remediation, the UI (version 21.7EA) on the device indicates that the threat has been successfully killed and quarantined.

Conclusion

XLoader is an interesting and somewhat unusual example in the macOS malware world. It’s dependency on Java and its functionality suggests it is primarily targeting organizations where the threat actors expect Java applications to be in use. Among other things, that includes certain online banking applications, and the attractiveness from a criminal’s perspective of a keylogger and info stealer in that environment can certainly be understood. It is also worth noting that the malware’s minimum system requirement is 10.6 Snow Leopard (over 10 years old), so the author’s are certainly casting their net wide. On the other hand, the implementation on macOS is clumsy at best and is likely to raise suspicions. No doubt the malware authors will be looking to improve on this in future iterations.

Indicators of Compromise

SHA1 Hashes

XLoader Mach-O Executable: KIbwf02l
7edead477048b47d2ac3abdc4baef12579c3c348

Suspected Phishing lure attachment: Statement SKBMT 09818.jar
cf51d75ae620a06df19c1fb29739de0dc2b34915

Example Persistence LaunchAgent: com.j85H64iPLnW.rXxHYP
cb3e7ac4e2e83335421f8bbc0cf953cb820e2e27

Contacted IPs
128.65.195.232
162.0.229.244
184.168.131.241
204.11.56.48
216.239.38.21
34.102.136.180
63.250.34.223
64.190.62.111
64.32.8.70
72.29.74.90

Interesting Strings

.appMacOSContentsInfo.plist
.exe.dll
/logins.json
10.:1.1OS X XLNG:
200 OK
80987dat=&=&un=&br=&os=1
DB1ChromeURL:
guidURL: Firefox
NSStringstringWithCString:encoding:
open
passtokenemailloginsigninaccountHost: &GETPUTPOSTOPTIONSGET
r%s <</dev/null
Recovery
rm -rf
rm unzip nss3.zip -d
saltysalt
UTF8StringNSPasteboardstringForType:generalPasteboardpublic.utf8-plain-text
UTF8StringNSWorkspacesharedWorkspaceprocessIdentifierfrontmostApplicationAXTitleAXFocusedWindow

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box unwraps its answer to the $3.8B e-signature market: Box Sign

Box released its new native e-signature product Box Sign on Monday, providing e-signature capability and unlimited signatures as part of Box’s business and enterprise plans at no additional cost.

The launch comes five months after the Redwood City, California-based company agreed to acquire e-signature startup SignRequest for $55 million.

Box CEO Aaron Levie told TechCrunch the company is already securing content management for 100,000 businesses, and Box Sign represents “a breakthrough product for the company” — a new category in which Box can help customers with business processes.

“We are building out a content cloud that powers the lifecycle of content so customers can retain and manage it,” Levie said. “Everyday, there are more transactions around onboarding a customer, closing a deal or an audit, but these are still done manually. We are moving that to digital and enabling the request of signatures around the content.”

Here’s how it works: Users can send documents for e-signature directly from Box to anyone, even those without a Box account. Places for signature requests and approvals can be created anywhere on the document. All of this integrates across popular apps like Salesforce and includes email reminders and deadline notifications. As with Box’s offerings, the signatures are also secure and compliant.

The global e-signature software market was estimated to be around $1.8 billion in 2020, according to Prescient & Strategic Intelligence, while IDC expects it to grow to $3.8 billion by 2023.

Levie considers the market still early as less than one-third of organizations use e-signature due to legacy tool limitations and cost barriers, revealing massive future opportunities. However, that may be changing: Box worked with banks during the pandemic that were still relying on mailing, scanning and faxing documents to help them adapt to digital processes. It also surveyed its customers last year around product capabilities, and the No. 1 “ask” was e-signature, he said.

He mentioned major players DocuSign and Adobe Sign — two products it will continue to integrate with — among the array of technology within the space. He said that Box is not trying to compete with any player, but saw a need from customers and wanted to proceed with an option for them.

The e-signature offering also follows the hiring of Diego Dugatkin in June as Box’s new chief product officer. Prior to joining, Dugatkin was vice president of product management for Adobe Document Cloud and led strategy and execution for Adobe’s suite of products, including Adobe Sign.

“Our strategy has been for many years to expand our portfolio and power more advanced use cases, as well as a vision to have one platform to manage everything,” Levie said. “Diego has two decades of tremendous domain experience, and he will make a massive dent in powering this for us.”

In addition to the e-signature product, Box also introduced its Enterprise Plus plan that includes all of the company’s major add-ons, as well as advanced e-signature capabilities that will be available later this summer, the company said.

 

Nium crosses $1B valuation with $200M Riverwood Capital-led round

Business-to-business payments platform Nium announced Monday that it raised more than $200 million in Series D funding and saw its valuation rise above $1 billion.

The company, now Singapore-based but shifting to the Bay Area, touted the investment as making it “the first B2B payments unicorn from Southeast Asia.”

Riverwood Capital led the round, in which Temasek, Visa, Vertex Ventures, Atinum Capital, Beacon Venture Capital and Rocket Capital Investment participated, along with a group of angel investors like DoorDash’s Gokul Rajaram, FIS’ Vicky Bindra and Tribe Capital’s Arjun Sethi. Including the new funding, Nium has raised $300 million to date, Prajit Nanu, co-founder and CEO, told TechCrunch.

The B2B payments sector is already hot, yet underpenetrated, according to some experts. To give an idea just how hot, Nium was seeking $150 million for its Series D round, received commitments of $300 million from eager investors and settled on $200 million, Nanu said.

“This is our fourth or fifth fundraise, but we have never had this kind of interest before — we even had our term sheets in five days,” he added. “I believe this interest is because we’ve successfully managed to create a global platform that is heavily regulated, which gives us access to a lot of networks. This is an environment where payment is visible, and our core is powering frictionless commerce and enabling anyone to use our platform.”

Nium’s new round adds fuel to a fire shared by a number of companies all going after a global B2B payments market valued at $120 trillion annually: last week, Paystand raised $50 million in Series C funding to make B2B payments cashless, while Dwolla raised $21 million for its API that allows companies to build and facilitate fast payments. In March, Higo brought in $3.3 million to do the same in Latin America, while Balance, developing a B2B payments platform that allows merchants to offer a variety of payment methods. raised $5.5 million in February.

Nium’s approach is to provide access to a global payment infrastructure, including card issuance, accounts receivable and payable, and banking-as-a-service through a single API. The company’s network enables customers to then send funds to more than 100 countries, pay out in more than 60 currencies, accept funds in seven currencies and issue cards in more than 40 countries, Nanu said. The company also boasts money transfer, card issuances and banking licenses in 11 jurisdictions.

Francisco Alvarez-Demalde, co-founding partner and managing partner at Riverwood, said in an email that the combination of software — plus regulatory licenses — and operating a fintech infrastructure platform on behalf of neobanks and corporates is a global trend experiencing hyper-growth.

Riverwood followed Nium for many years, and its future vision was what got the firm interested in being a part of this round. Alvarez-Demalde said that “Nium has the incredible combination of a great market opportunity, a talented founder and team, and we believe the company is poised for global growth based on underlying secular technology trends like increasing real-time payment capabilities and the proliferation of cross border commerce.

“As a central payment infrastructure in one API, Nium is a catalyst that unlocks cross-border payments, local accounts and card issuance with a network of local market licenses, partners and banking relationships to facilitate moving money across the world,” he added. “Enterprises of all types are embedding financial services as part of their consumer experience, and Nium is a key global enabler of this trend.”

Nanu said the new funding enables the company to move to the United States, which represents 3% of Nium’s revenue. He wants to increase that to 20% over the next 18 months, as well as expand in Latin America. The investment also gives the company a 12- to 18-month runway for further M&A activity.  In June, Nium acquired virtual card issuance company Ixaris, and in July acquired Wirecard Forex India to expose it to India’s market. He also plans to expand the company’s payments network infrastructure, invest in product development and add to Nium’s 700-person headcount.

Nium already counts hundreds of enterprise companies as clients and plans to onboard thousands more in the next year. The company processes $8 billion in payments annually and has issued more than 30 million virtual cards since 2015. Meanwhile, revenue grew by over 280% year over year.

All of this growth puts the company on a trajectory for an initial public offering, Nanu said. He has already spoken to people who will help the company formally kick off that journey in the first quarter of 2022.

“Unlike other companies that raise money for new products, we aim to expand in the existing sets of what we do,” Nanu said. “The U.S. is a new market, but we have a good brand and will use the new round to provide a better experience to the customer.”

 

ActiveFence comes out of the shadows with $100M in funding and tech that detects online harm, now valued at $500M+

Online abuse, disinformation, fraud and other malicious content is growing and getting more complex to track. Today, a startup called ActiveFence, which has quietly built a tech platform to suss out threats as they are being formed and planned, to make it easier for trust and safety teams to combat them on platforms, is coming out of the shadows to announce significant funding on the back of a surge of large organizations using its services.

The startup, co-headquartered in New York and Tel Aviv, has raised $100 million, funding that it will use to continue developing its tools and to continue expanding its customer base. To date, ActiveFence says that its customers include companies in social media, audio and video streaming, file sharing, gaming, marketplaces and other technologies — it has yet to disclose any specific names but says that its tools collectively cover “billions” of users. Governments and brands are two other categories that it is targeting as it continues to expand. It has been around since 2018 and is growing at around 100% annually.

The $100 million being announced today actually covers two rounds: its most recent Series B led by CRV and Highland Europe, as well as a Series A it never announced led by Grove Ventures and Norwest Venture Partners. Vintage Investment Partners, Resolute Ventures and other unnamed backers also participated. It’s not disclosing valuation but I understand it’s over $500 million.

“We are very honored to be ActiveFence partners from the very earliest days of the company, and to be part of this important journey to make the internet a safer place and see their unprecedented success with the world’s leading internet platforms,” said Lotan Levkowitz, general partner at Grove Ventures, in a statement.

The increased presence of social media and online chatter on other platforms has put a strong spotlight on how those forums are used by bad actors to spread malicious content. ActiveFence’s particular approach is a set of algorithms that tap into innovations in AI (natural language processing) and to map relationships between conversations. It crawls all of the obvious, and less obvious and harder-to-reach parts of the internet to pick up on chatter that is typically where a lot of the malicious content and campaigns are born — some 3 million sources in all — before they become higher-profile issues.  It’s built both on the concept of big data analytics as well as understanding that the long tail of content online has a value if it can be tapped effectively.

“We take a fundamentally different approach to trust, safety and content moderation,” Noam Schwartz, the co-founder and CEO, said in an interview. “We are proactively searching the darkest corners of the web and looking for bad actors in order to understand the sources of malicious content. Our customers then know what’s coming. They don’t need to wait for the damage, or for internal research teams to identify the next scam or disinformation campaign. We work with some of the most important companies in the world, but even tiny, super niche platforms have risks.”

The insights that ActiveFence gathers are then packaged up in an API that its customers can then feed into whatever other systems they use to track or mitigate traffic on their own platforms.

ActiveFence is not the only company building technology to help platform operators, governments and brands to have a better picture of what is going on in the wider online world. Factmata has built algorithms to better understand and track sentiments online; Primer (which also recently raised a big round) also uses NLP to help its customers track online information, with its customers including government organizations that used its technology to track misinformation during election campaigns; Bolster (formerly called RedMarlin) is another.

Some of the bigger platforms have also gotten more proactive in bringing tracking technology and talent in-house: Facebook acquired Bloomsbury AI several years ago for this purpose; Twitter has acquired Fabula (and is working on a bigger efforts like Birdwatch to build better tools), and earlier this year Discord picked up Sentropy, another online abuse tracker. In some cases, companies that more regularly compete against each other for eyeballs and dollars are even teaming up to collaborate on efforts.

Indeed, may well be that ultimately there will exist multiple efforts and multiple companies doing good work in this area, not unlike other corners of the world of security, which might need more than one hammer thrown at problems to crack them. In this particular case, the growth of the startup to date, and its effectiveness in identifying early warning signs, is one reason why investors have been interested in ActiveFence.

“We are pleased to support ActiveFence in this important mission” commented Izhar Armony, the lead investor from CRV, in a statement. “We believe they are ready for the next phase of growth and that they can maintain leadership in the dynamic and fast growing trust and safety market.”

“ActiveFence has emerged as a clear leader in the developing online trust and safety category. This round will help the company to accelerate the growth momentum we witnessed in the past few years,” said Dror Nahumi, general partner at Norwest Venture Partners, in a statement.

Sedna banks $34M for a platform that parses large volumes of email and chat to automatically action items within them

Many have tried to do away with it, but email refuses to die… although in the process it might be (figuratively speaking) killing some of us with the workload it brings on to triage and use it. A startup called Sedna has built a system to help with that — specifically for enterprise and other business customers — by “reading” the text of emails, and chats, and automatically actioning items within them so that you don’t have to. And today, it’s announcing funding of $34 million to expand its work.

The funding, a Series B, is being led by Insight Partners, with Stride.VC, Chalfen Ventures and the SAP.iO fund (part of SAP) also participating. The funding will be used to continue building out more data science around Sedna’s core functionality, with the aim of moving into a wider set of verticals over time. Currently its main business is in the area of supply chain players, with Glencore, Norden, and Bunge among its customers. Other customers in areas like finance include the neobank Starling. London-based Sedna is not disclosing valuation.

Bill Dobie, Sedna’s CEO and founder originally from Vancouver but now in London, said the idea for the company was hatched out of his own experience.

“I spent years building software to help users be more productive, but no matter what we built we never really reduced people’s workload,” he said. The reason: the millstone that is called email, with its endless, unsolicited, inbound messages, some of which (just enough not to ignore) might be important. “What really struck me was how long it spent to move items out of and into email,” he said of the “to-do’s” that arose out of there.

Out of that, Sedna was built to “read” emails and give them more context and direction. Its system removes duplicates of action items and essentially increases the strike rate when it comes people’s inboxes: what’s in there is more likely to be what you really need to see. And it does so at a very quick speed.

“Our main value is the sheer scale at which we operate,” Dobie said. “We read millions or even billions of messages in sub second response times.” Indeed, while many of us are not getting “millions” of emails, there is a world of messaging out there that needs reading beyond that. Think, for example, of the volume of data that will be coming down the pike from IoT-based diagnostics.

“Smart” inboxes have definitely become a thing for consumers — although arguably none work as well as you wish they did. What’s notable about Sedna has been how it’s tuned its particular algorithms to specific verticals, letting them get smarter around the kind of content and work practices in particular organizations.

Right now the work is driven by an API framework, with elements of “low code” formatting to let people shape their own Sedna experiences. The aim will be to make that even easier over time. AN API driven frame work right now, some low code we’re heading into, but mostly its SAP or shipping or trading system that understands the transaction under way, then Sedna uses a decision tree to categories. 

Another area where Sedna might grow is in how it handles the information that it ingests. Currently, the company’s tech can be interconnected by a customer to then hand off certain work to RPA systems, as well as to specific humans. There is an obvious route to developing some of the second stage of software there — or alternatively, it’s a sign of how something like Sedna might get snapped up, or copied by one of the big RPA players.

“Bill started reimagining email where it was most broken and therefore hardest to fix—large teams managing huge volumes and complicated processes,” said Rebecca Liu-Doyle, principal at Insight Partners, in a statement. “Today, Sedna’s power is in its ability to introduce immense speed, simplicity, and delight to any inbox experience, regardless of scale or complexity. We are excited to partner with the Sedna team as they continue to make digital communication more intelligent for teams in global supply chain and beyond.” Liu-Doyle is joining the board with this round.

SAP is a strategic investor in this round, as Sedna potentially helps its customers be more productive while using SAP systems. “SAP continues to partner with SEDNA to deliver value to SAP customers. The ability to turn complex information into simpler intelligent collaboration has been a growing priority for many SAP customers,” said Stefan Sauer, global transport solutions Lead at SAP, in a statement.

PlugwalkJoe Does the Perp Walk

Joseph “PlugwalkJoe” O’Connor, in a photo from a paid press release on Sept. 02, 2020, pitching him as a trustworthy cryptocurrency expert and advisor.

One day after last summer’s mass-hack of Twitter, KrebsOnSecurity wrote that 22-year-old British citizen Joseph “PlugwalkJoe” O’Connor appeared to have been involved in the incident. When the U.S. Justice Department last week announced O’Connor’s arrest and indictment, his alleged role in the Twitter compromise was well covered in the media.

But most of the coverage seems to have overlooked the far more sinister criminal charges in the indictment, which involve an underground scene wherein young men turn to extortion, sextortion, SIM swapping, death threats and physical attacks — all in a frenzied effort to seize control over social media accounts.

Skim the government’s indictment and you might overlook a footnote on Page 4 that says O’Connor is part of a group that had exactly zero reservations about using their playbook of harassment tactics against law enforcement agents who were already investigating their alleged crimes.

O’Connor has potentially been linked to additional prior swatting incidents and possibly (although not confirmed and currently still under investigation) the swatting of a U.S. law enforcement officer,” the footnote reads.

Swatting involves making a false report to authorities in a target’s name with the intention of sending a heavily armed police force to that person’s address. It’s a potentially deadly hoax: Earlier this month, a Tennessee man was sentenced to 60 months in prison for setting in motion a swatting attack that led to the death of a 60-year-old grandfather.

As for the actual criminal charges, O’Connor faces ten counts, including conspiracy, computer intrusion, extortive communications, stalking and threatening communications.

FEMALE TARGETS

All of those come into play in the case of the Snapchat account of actor Bella Thorne, who was allegedly targeted by PlugwalkJoe and associates in June 2019.

Investigators say O’Connor was involved in a “SIM swap” against Thorne’s mobile phone number. Unauthorized SIM swapping is a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the target’s text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.

In this case, the SIM swap was done to wrest control over Thorne’s Snapchat account. Once inside, the attackers found nude photos of Thorne, which they then threatened to release unless she agreed to post on social media thanking the hackers using their online handles.

The intruders posted on Thorne’s Snapchat, “Will drop nudes if 5000 of you follow @PlugwalkJoe.” Thorne told the feds her phone lost service shortly before her account was hijacked. Investigators later found the same Internet address used to access Thorne’s Snapchat account also was used minutes later to access “@Joe” on Instagram, which O’Connor has claimed publicly.

On June 15, 2019, Thorne posted on Twitter that she’d been “threatened with my own nudes,” and posted screenshots of the text message with the individual who had extorted him/her. Thorne said she was releasing the photographs so that the individual would not be able to “take yet another thing from me.”

The indictment alleges O’Connor also swatted and cyberstalked a 16-year-old girl, sending her nude photos and threatening to rape and/or murder her and her family.

Social media personality Addison Rae had 55 million followers when her TikTok account got hacked last August. I noted on Twitter at the time that PlugWalkJoe had left his calling card yet again. The indictment alleges O’Connor also was involved in a SIM-swap against Rae’s mobile number.


BAD REACTION

Prosecutors believe that roughly a week after the Twitter hack O’Connor called in bomb threats and swatting attacks targeting a high school and an airport in California. They’re confident it was O’Connor making the swatting and bomb threat calls because his voice is on record in a call he made to federal investigators, as well as to an inmate arrested for SIM swapping.

Curiously left out of the media coverage of O’Connor’s alleged crimes is that PlugwalkJoe appears to have admitted in a phone call with the FBI to being part of a criminal conspiracy. In the days following the Twitter mass-hack, O’Connor was quoted in The New York Times denying any involvement in the Twitter bitcoin scam. “I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

Speaking with KrebsOnSecurity via Instagram instant message just days after the Twitter hack, O’Connor demanded that his name be kept out of future blog posts here. After he was told that couldn’t be promised, he mentioned that some people in his circle of friends had been known to hire others to deliver physical beatings on people they didn’t like. In nearly the same breath, O’Connor said he was open to talking to federal investigators and telling his side of the story.

According to the indictment, a week after the Twitter hack a man identifying himself as O’Connor called federal investigators in Northern California. Specifically, the call went to the REACT Task Force. REACT is a team of law enforcement officers and prosecutors based in Santa Clara, Calif. that is focused on catching criminal SIM swappers, and by this point REACT already had plenty of audio from phone calls traced back to O’Connor in which he allegedly participated in a SIM swapping or swatting attack.

“REACT began receiving tips in 2018 regarding illegal activity of an individual using the online moniker ‘PlugwalkJoe,’ purportedly identified as O’Connor from the United Kingdom,” the indictment states.

Prosecutors redacted the name of the law enforcement officer who allegedly was swatted by PlugwalkJoe, referring to him only as “C.T.,” a criminal investigator for the Santa Clara District Attorney and a REACT Task Force member.

FBI agents called O’Connor back at the number he left. O’Connor told the FBI that on the afternoon of July 15, 2020 he’d been in contact with other associates who were in communications with the alleged mastermind of the Twitter bitcoin scam. Those intermediaries worked directly with Graham Clark, then 17, who pleaded guilty to fraud charges last summer in connection with the Twitter hack and agreed to serve three years in prison followed by three years of probation.

The indictment says O’Connor told the feds he only wanted his friends to relay his desire for Clark to secure several different short Twitter usernames that belonged to other people, accounts that were to be later sold for a profit. The other associates who allegedly helped PlugwalkJoe interact with Clark also have since been charged in connection with the Twitter hack.

A copy of the indictment is here (PDF).

The Good, the Bad and the Ugly in Cybersecurity – Week 30

The Good

It was a year ago almost to the week that we reported on a mass cyber hack against at least 130 social media celebrities. As we reported at the time, Twitter accounts belonging to the likes of Joe Biden, Barack Obama, Elon Musk, Bill Gates, Apple and Uber were all breached and used to pull off a Bitcoin scam that netted the hackers over $100,000 in less than 24 hours. This week, it looks as though cybercops have caught up with yet another of the alleged perpetrators.

Police in Spain arrested a 22-year old British man, Joseph O’Connor, on suspicion of being behind the attack. Three others, two from the U.S and another from the U.K, have already been charged in the case. O’Connor faces computer intrusion charges relating to the Twitter hack as well as similar intrusions of TikTok and Snapchat. The Department of Justice says he is also being charged with cyberstalking a juvenile.

With the help of the U.K.’s National Crime Agency, the Spanish National Police arrested O’Connor on Wednesday after a request from U.S. authorities following a criminal complaint filed in the U.S. District Court for the Northern District of California. Once again, international law enforcement cooperation has proven vital in bringing those who perpetrate cyber crimes to justice.

The Bad

There was already plenty of controversy swirling around the Tokyo Olympics – from Russia’s stealth involvement to whether the event should even be taking place given the ongoing pandemic – but of course, cyber attackers had to get in on the act, too.

Initially, news broke early in the week apparently from a Japanese government source suggesting that login IDs and passwords for the Tokyo Olympic ticket portal had been posted to a Darknet “leaks” website following a breach. A spokesperson for the Tokyo 2020 Olympics International Communications Team later contradicted that claim, saying the government source was mistaken.

While it seems there had been some leaks, these were not related to a breach of the ticket portal. Rather, it appears some ticket holders as well as Olympic Village volunteers had been infected with malware and leaked their own credentials.

It seems these individuals were infected with infostealer malware that exfiltrated credentials stored in their browsers. The data was subsequently offered for sale on underground marketplaces.

While it’s certainly welcome to learn that a general breach of the Olympics ticket portal hasn’t taken place, there are concerns that threat actors are targeting the event. The FBI released an alert this week warning that cyber actors who wish to disrupt the event could use distributed denial of service (DDoS) attacks, ransomware, social engineering, phishing campaigns, or insider threats against entities associated with the Tokyo 2020 Summer Olympics. All involved are advised to remain vigilant and maintain best practices in their network and digital environments.

The Ugly

News has been breaking across mainstream media since Sunday regarding the use of iOS and Android spyware being sold to authoritarian regimes by private security contractor NSO. Apparently, the spyware platform known as “Pegasus” is meant to be used to target ‘persons of interest’ to governments and law enforcement agencies, but campaigners such as Amnesty International claim that the spyware is used by oppressive regimes to facilitate human rights violations around the world on a massive scale.

While opinion remains divided as to the true extent of the use of NSO’s spyware in the wild, there’s no doubt that there are genuine concerns that the spyware has been used to expose activists, journalists and politicians critical of certain governments.

Meanwhile, researchers claim that they have proof that the Pegasus spyware has successfully infected iPhone 11 and iPhone 12 models through iMessage zero-click attacks. Pegasus marketing material offers prospective clients unlimited access to targets’ mobile devices while “leaving no trace on the target devices”.

Source: Pegasus marketing material

NSO, for its part, disputes the claims made in the most recent revelations, arguing that the number of targets is substantially lower than the 50,000 claimed by campaigners, and that the company vets all its clients to ensure abuses do not occur.

Amidst all of this is another ongoing debate about Apple’s approach to security. The famously-secretive device manufacturer argues that iPhone security is enhanced by its opaque, proprietary operating system and Apple’s tight reign on application distribution. Many security researchers and privacy activists, on the other hand, say that such a ‘security by obscurity’ approach only serves to abet criminals by  making it impossible for users to detect whether their devices have been compromised.

It’s a debate that’s not going to go away any time soon. Readers might like to reflect on whether they would be happy using desktop and laptop computers that, by design, were unable to run any third-party security software. If one feels nervous at the prospect of leaving computer security entirely in the hands of an OS vendor, it’s hard to imagine why we should be comfortable doing the same with our phones.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Paystand banks $50M to make B2B payments cashless and with no fees

It’s pretty easy for individuals to send money back and forth, and there are lots of cash apps from which to choose. On the commercial side, however, one business trying to send $100,000 the same way is not as easy.

Paystand wants to change that. The Scotts Valley, California-based company is using cloud technology and the Ethereum blockchain as the engine for its Paystand Bank Network that enables business-to-business payments with zero fees.

The company raised $50 million Series C funding led by NewView Capital, with participation from SoftBank’s SB Opportunity Fund and King River Capital. This brings the company’s total funding to $85 million, Paystand co-founder and CEO Jeremy Almond told TechCrunch.

During the 2008 economic downturn, Almond’s family lost their home. He decided to go back to graduate school and did his thesis on how commercial banking could be better and how digital transformation would be the answer. Gleaning his company vision from the enterprise side, Almond said what Venmo does for consumers, Paystand does for commercial transactions between mid-market and enterprise customers.

“Revenue is the lifeblood of a business, and money has become software, yet everything is in the cloud except for revenue,” he added.

He estimates that almost half of enterprise payments still involve a paper check, while fintech bets heavily on cards that come with 2% to 3% transaction fees, which Almond said is untenable when a business is routinely sending $100,000 invoices. Paystand is charging a flat monthly rate rather than a fee per transaction.

Paystand’s platform. Image Credits: Paystand

On the consumer side, companies like Square and Stripe were among the first wave of companies predominantly focused on accounts payable and then building business process software on top of an existing infrastructure.

Paystand’s view of the world is that the accounts receivables side is harder and why there aren’t many competitors. This is why Paystand is surfing the next wave of fintech, driven by blockchain and decentralized finance, to transform the $125 trillion B2B payment industry by offering an autonomous, cashless and feeless payment network that will be an alternative to cards, Almond said.

Customers using Paystand over a three-year period are able to yield average benefits like 50% savings on the cost of receivables and $850,000 savings on transaction fees. The company is seeing a 200% increase in monthly network payment value and customers grew two-fold in the past year.

The company said it will use the new funding to continue to grow the business by investing in open infrastructure. Specifically, Almond would like to reboot digital finance, starting with B2B payments, and reimagine the entire CFO stack.

“I’ve wanted something like this to exist for 20 years,” Almond said. “Sometimes it is the unsexy areas that can have the biggest impacts.”

As part of the investment, Jazmin Medina, principal at NewView Capital, will join Paystand’s board. She told TechCrunch that while the venture firm is a generalist, it is rooted in fintech and fintech infrastructure.

She also agrees with Almond that the B2B payments space is lagging in terms of innovation and has “strong conviction” in what Almond is doing to help mid-market companies proactively manage their cash needs.

“There is a wide blue ocean of the payment industry, and all of these companies have to be entirely digital to stay competitive,” Medina added. “There is a glaring hole if your revenue is holding you back because you are not digital. That is why the time is now.”

 

Payments company Paystone raises $23.8M to help service-based businesses engage with customers

Paystone, a payments and integrated software company, secured another strategic investment this year, this time $23.8 million ($30 million CAD) from Crédit Mutuel Equity, the private equity arm of Crédit Mutuel Alliance Fédérale.

The Canada-based company got its start in 2008 as the payment processing company Zomaron, and rebranded itself as Paystone in 2019. Today it provides electronic payments and customer engagement technology to businesses, particularly those that provide services, CEO Tarique Al-Ansari told TechCrunch.

“Paystone is on a mission to help businesses grow, and we were enthralled by their commitment to that mission and their focus on service-oriented verticals,” said Léa Perge, investor at Crédit Mutuel Equity in Canada, via email.

While most of the company’s peers focus on product companies, Al-Ansari saw how underserved the service side was: their needs are different, and unlike retail, aren’t looking to sell online. Rather, they need an online presence and digital marketing to engage with customers, but their focus is being findable and having content that tells people why they should do business with them.

Paystone provides the marketing through content, help with reviews and with loyalty and rewards programs. However, rather than reward for spending, Paystone rewards for behavior. Refer a friend, get a reward. Write a review, get a reward. Al-Ansari calls it “payments as a benefit.” Referrals and reviews are how businesses become more findable, and the more content that’s out there, the more it helps people consider the business trustworthy, he added.

The new funding gives Canada-based Paystone total funds raised in 2021 of $78.8 million in a mix of debt and equity. It raised $54.9 million in January, funds that were barely touched as of yet, Al-Ansari said.

Though he wasn’t actively seeking new funds, Al-Ansari had been speaking with Crédit Mutuel Equity, which used to be CIC Capital Canada, prior to the pandemic, and their deal was put on hold.

Crédit Mutuel Equity came back with similar interest, and taking into account the kind of talent Paystone wanted to go after and its acquisition strategy — the company has already acquired five companies — Al-Ansari decided to take the additional funds. He said it gives the company options to hire more and double down on building the company, as well as enough capital to look for more acquisitions.

This year, Paystone entered the U.S. market for the first time and will do a proper launch later this year. The company has over 30,000 merchant locations on its platform throughout North America, and Al-Ansari expects that to grow by 5,000 this year. The company has 150 employees currently, and another 50 are expected to come on board by the end of the year.

In addition, Al-Ansari expects growth to accelerate for the rest of the year. The company processes around $6 billion in credit card payments and is on track to bring in $55.7 million in revenue this year. It is cash flow positive, residuals from the company’s origins of being bootstrapped, he said.

“We want to become the go-to destination for service businesses to set up a digital presence to accept payments and provide loyalty and rewards,” Al-Ansari said. “We will do this by solidifying our market position and growing our platform with the tools that customers want.”

 

CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day

A guest post by Kyle Pagelow from Tetra Defense

In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.

Our investigation led us to discover and report CVE-2021-3122. While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.

According to the vendor, CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client using Aloha POS to ensure that the server is properly configured and cannot be exploited in the way described in this post.

While we acknowledge NCR’s position, it is also worth pointing out that this “misconfiguration” is widely deployed and known to be actively exploited. Therefore, we urge all NCR Aloha POS users to ensure their Aloha POS configuration follows NCR’s guidelines and to confirm that their POS network has not been compromised in the manner we discuss in detail below.

Point of Ingress | The Threat Actor’s Initial Compromise

NCR’s Aloha POS software is an end to end point of sale system application primarily used by restaurants to take orders, accept credit card payments and manage other sensitive business functions. As is standard practice, our client was running Aloha POS on an isolated private network, with a number of terminals utilizing this network. The only outward bound communication from any endpoint on the network was to the Aloha Back of House (BOH) server.

The Aloha BOH server provides administrative functions for each of the POS terminals and is responsible for all external communications. Primarily, external traffic consists of communication between the BOH server and NCR’s own servers for the purpose of receiving various administrative commands, performing maintenance and updating the POS terminals when required.

Prior to our IR investigation team being brought in, the client’s network appears to have first been compromised in February 2017. BlackPOS, rtPOS, GratefulPOS and PWNPOS were observed on the client’s systems, along with BTCamant ransomware, shortly after the client had installed an MSP provider. While some of the malware infections avoided C2 communications and wrote files out locally to disk, by December 2018 RampagePOS was observed communicating with a C2 at support[.]nesinoder[.]com. This domain was later seen to be associated with Maze ransomware.

In September 2019, the threat actor began utilizing a commercial remote monitoring and management tool (RMM) called screenconnect. The threat actors configured the RMM tool to report to their own C2s and cleverly disguised the DNS to blend in with legitimate traffic to NCR by using the address support-ncr-aloha[.]net.

The threat actor’s next step was to begin installing credit card stealing malware on both the BOH server and terminal endpoints on January 9th, 2020. At this time, malware was pushed to the terminals using a batch script to update the hosts file on each terminal with an entry labelled ‘back’ and the IP address of the BOH server. Since the terminals had no ability to communicate externally, the malware was configured to send encrypted, scraped credit card data to the BOH server over port 1888.

Discovering the BOH RCE Attack Vector

While it’s not surprising that the terminals could have their hosts files manipulated by the BOH server, the attack’s real menace comes from the exploitation of an hitherto unknown vulnerability in the support[.]ncr-aloha[.]net running on the BOH server. While NCR has been at pains to point out that the exploit requires an unsupported configuration, our investigation found that there are hundreds of Aloha BOH servers currently configured in this way and, therefore, vulnerable to attack.

As attack methods, motives, and consequences change daily, our IR investigation team uses SentinelOne Singularity as our constant ongoing endpoint protection and alert method. We deployed SentinelOne on the client’s terminals and BOH servers as part of our emergency incident response effort. This allowed us not only to get full visibility into the threat actor’s TTPs but also alerts at each stage of the ongoing infection. Via the SentinelOne agents and management console, we were able to identify connections from external IP addresses to the Aloha Command Center Agent occurring over port 8089.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Having rebuilt the entire Aloha POS network, now with SentinelOne installed, we were able to observe how the actor then re-compromised the system. It quickly became apparent that the threat actor was able to connect to the cmcAgent.exe externally and run commands with SYSTEM level privileges.

The SentinelOne agent alerted us as the threat actor dropped an instance of the DoublePulsar backdoor on the BOH server and wrote malware to the screenconnect directory in c:windowstemp. The threat actor used the Eternal Champion exploit from FUZZBUNCH to install the malware.

In addition, we observed the threat actor utilizing other LOLBins such as certutil to download files, the net command to mount shares to public IP addresses, and netsh to open ports on the Windows firewall and expose services such as RDP.

We leveraged the management console’s Deep Visibility feature and found that the malware was using msiexec for the screenconnect MSI to reach out to the attacker’s C2 at support[.]ncr-aloha[.]net.

At this point, we leveraged the SentinelOne remote shell feature to kill off screenconnect and quarantine the cmcAgent.exe. We ran further Deep Visibility queries to prevent the threat actor from further exploitation of the network.

Discovering CVE-2021-3122 and Creating a POC Exploit

Having secured the client’s network, our next task was to understand what vulnerability the threat actor was leveraging to access the Aloha BOH server. Our investigation found that a flaw exists within the NCR Command Center Agent (cmcAgent.exe). Systems that are configured with an internet-facing Command Center Agent display a banner with the hostname of the server and are discoverable through network scanning and banner grabbing. Simple searches can also be conducted through the use of tools such as shodan.io.

The cmcAgent’s RUNCommand function allows for a parameter to be supplied in a specially crafted XML request that can be executed remotely if the server is configured to listen on TCP port 8089 for incoming connections. Passing such a command allows the attacker to execute that command as SYSTEM.

In our POC, we executed a custom command remotely against a virtual machine that had the cmcAgent running. We created several requests and executed cmd.exe, powershell.exe and calc.exe. All processes spawned under the ‘SYSTEM’ user and were running in the background.

Additionally, when connecting to the port, the server will return a response with the hostname of the system as well as other information indicating the system is running Aloha software. This means it is a simple matter to conduct a shodan search for the banner and see which NCR customers have the Command Center Agent publicly exposed.

Responsible Disclosure and Vendor Response

In June of 2020, Tetra contacted the vendor NCR, creators of the Aloha platform in order to responsibly disclose the vulnerability. NCR had indicated the vulnerability is only exploitable if customers are misconfigured and have the CMCagent’s listening port exposed. NCR updated their documentation for the CMCAgent, and added a requirement not to have the CMCAgent internet-facing. Tetra contacted CISA and disclosed the vulnerability in December of 2020. MITRE rated the vulnerability with a CVS of 9.8.

Recommendations and Mitigation

NCR customers are urged to ensure they have updated to the latest available version.

Users running the Aloha POS system in their environment are strongly urged to review their system configuration and prohibit unauthorized hosts from connecting to vulnerable systems.

Users should run an up-to-date security solution such as SentinelOne Singularity across their environment and review security alerts.

Indicators of Compromise

alohaterm.exe    RAMPAGEPOS         9b8cc45f061565f00f9aab34e6fbcec6fae4633f
alohaterm.exe    RAMPAGEPOS         7c7c8ef5877f01011438410a4075e92731c7c51a
ttfmgr.exe       GratefulPOS        2d9b601d09bc1e49c94b316263f96d6ee6e57c54
ALOHAPROXY.EXE   PWNPOS             7899092e973b38988aa472dabf20314f00399233
wnhelp.exe       PWNPOS             b1983db46e0cb4687e4c55b64c4d8d53551877fa
alohas.exe       BlackPOS           1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc
alohae.exe       rtPOS              a3c81c9e3d92c5007ac2ef75451fe007721189c6
IECache11.dll    RAMPAGEPOS         bf6291d67a21c6cef919c8cc3e485b93daf8d71f
IECache32.dll    RAMPAGEPOS         3688ab0e31a2f2a8a2adeb934c1a10738ec0f2d6
RUBTBGBB.EXE     Trojan/Downloader  0894872f398e19051f5a6be1a50c44943e9635e8
d.exe            Double Pulsar      dc11a846e090094fc82d0cc6ca8914d09113658e
e.exe            Eternal Champion   4c5cc3ec6866a2054eb47820b35ad8a7d8982cd2
UCL.DLL          Double Pulsar      4dfde37e5ff0a4b189f0c644b19b20fa63c41fe1
QOXJPZPX.EXE     Downloader         0894872f398e19051f5a6be1a50c44943e9635e8
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
SystemIISSec.exe Bitcoin Miner      835c84dba74fdd2564806daf68958d22feaa2225
g.exe            Bitcoin Miner      a067833f67d829241703c9f488d5834c84b096fe
Chromes.exe      Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
wslog_tblog6.tmp Bitcoin Miner      eea0c3febedd84a0c2d69dfb1fb5a077ca8d320b
wslog_tblog3.tmp Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
audlodg.exe      Bitcoin Miner      cb3550ca012a39fbf48ad26f3b2bb1d4f8657b2e
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
TOMORROW.EXE     Miner installer    43299c2cdc2a0290de05b01ec6d04160bfcef99f

ncr-aloha[.]net         C&C URL
support.ncr-aloha[.]net C&C URL
nesinoder[.]com         C&C URL
Support.nesinoder[.]com C&C URL
data-wire[.]net
185.41.65[.]211         C&C IP
5.34.183[.]20           C&C IP
130.0.237[.]133         C&C IP
47.90.58[.]130          Bitcoin Miner IP
185.56.80[.]118         IP used in RDP
62.20.60[.]242          IP used in RDP
78.465.89[.]74          IP used in RDP

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security