Coralogix logs $55M for its new take on production analytics, now valued at $300-$400M

/0 Comments/in /by

Data may be the new oil, but it’s only valuable if you make good use of it. Today, a startup that has built a new kind of production analytics platform for developers, security engineers and data scientists to track and better understand how data is moving around their networks is announcing a round of funding that underscores the demand for their technology. Coralogix, which provides stateful streaming services to engineering teams, has picked up $55 million in a Series C round of funding.

The round was led by Greenfield Partners, with Red Dot Capital Partners, StageOne Ventures, Eyal Ofer’s – O.G. Tech, Janvest Capital Partners, Maor ventures, and 2B Angels also participating.

This Series C is coming about 10 months after the company’s Series B of $25 million, and from what we understand Coralogix’s valuation is now in the range of $300 million – $400 million, a big jump for the startup, coming on the back of it growing 250% since this time last year, racking up some 2,000 paying customers, some small teams paying as little as $100/year through to large enterprises paying $1.5 million/year.

Previously, Coralogix — founded in Tel Aviv and with a HQ also in San Francisoc — had also raised a round of $10 million.

Coralogix got its start initially as a platform aimed at quality assurance support for R&D and engineering teams. The focus here is on log analytics and metrics for platform engineers, and this still forms a big part of its business today. Added to that, in recent years, Coralogix’s tools are also being applied to cloud security services, contributing to a company’s threat intelligence by providing a way to observe data for any inconsistencies that typically might point to a breach or another incident. (It integrates with Alien Vault and others for this purpose.)

The third area that is just picking up now and will be developed further — one of the uses of this investment, in fact — will be to develop how Coralogix is used for business intelligence. This is a particularly interesting area because it plays into how Coralogix is built, to provide analytics on data before it is indexed.

“It’s about high volume, but low value data,” Ariel Assaraf, Coralogix’s CEO, said in an interview. “Customers don’t want to store the data [or index it] but want to view it live and visualize it. We are starting to see a use case where business information and our analytics come together for sentiment analysis and other areas.”

There are dozens of strong companies providing tools these days to cover log analytics and data observability, underscoring the general growth and importance of DevOps these days. They include companies like DataDog, Sumo Logic, Splunk and more.

However, Assaraf believes that what sets his company apart from them is its approach: essentially it has devised a way of observing and analyzing data streams before they get indexed, giving engineers a more flexibility to query the data in different ways, and essentially glean more insights, faster. The other issue with indexing, he said, is that it impacts latency, which also has a big impact on overall costs for an organization.

For many of Coralogix’s competitors, turning around the nature of the business to focus not first on indexing would be akin to completely rebuilding the business, hard to do at their scale (although in fact this is what Coralogix did, when it pivoted as a small company several years ago, which is when Assaraf took on the role of CEO). One company he believes might be more of a direct rival is Confluent.

“I think we will see Confluent getting into observability very soon because they have the streaming capabilities,” he said, “but not the tools we have.” Another potential competitor looming on the horizon: Salesforce, and its potential move into that area, underscores the shifting sands of what is powering enterprise IT investment decisions today.

Salesforce already has Heroku, Slack and Tableau, three major tools developers use for tracking and working with data, Assaraf pointed out, and there were strong rumors of it trying to buy DataDog, “so we definitely see where they are going. For sure, they understand the way things are changing. All the budgets when Salesforce first started were in marketing and sales. Now you sell to IT. Salesforce understands that shift to developers, and so that is where they are going.”

It makes for a very interesting landscape and future for companies like Coralogix, one that investors believe the startup will continue to shape as it has up to now.

“The  dramatic shift in digital transformation is generating an explosion of data, which until now has forced enterprises to decide between cost and coverage,” said Shay Grinfeld, managing partner at Greenfield Partners. “Coralogix’s real-time streaming analytics  pipeline employs proprietary algorithms to break this tradeoff and generate significant cost savings. Coralogix has built a customer roster that comprises some of the largest and most innovative companies in the world. We’re thrilled to partner with Ariel and the Coralogix team on their journey to reinvent the future of data observability.”

Homebase raises $71M for a team management platform aimed at SMBs and their hourly workers

/0 Comments/in /by

Small and medium enterprises have become a big opportunity in the world of B2B technology in the last several years, and today a startup that’s building tools aimed at helping them manage their teams of workers is announcing some funding that underscores the state of that market. Homebase, which provides a platform that helps SMBs manage various services related to their hourly workforces, has closed $71 million in funding, a Series C that values the company at between $500 million and $600 million, according to sources close to the startup.

The round has a number of big names in it that are as much a sign of how large VCs are valuing the SMB market right now, as it is of the strategic interest of the individuals who are also participating. GGV Capital is leading the round, with past backers Bain Capital Ventures, Baseline Ventures, Bedrock, Cowboy Ventures, and Khosla Ventures also participating. Individuals meanwhile include president of Focus Brands Kat Cole, Jocelyn Mangan (a board member at PapaJohns and Chownow and former COO of Snag), former CFO of payroll and benefits company Gusto Mike Dinsdale, Guild Education founder Rachel Carlson, star athletes Jrue and Lauren Holiday and alright alright alright actor and famous everyman and future political candidate Matthew McConaughey.

Homebase has raised $108 million to date.

The funding is coming on the heels of strong growth for Homebase (which is not to be confused with the UK/Irish home improvement chain of the same name, nor the YC-backed Vietnamese proptech startup).

The company now has some 100,000 small businesses, with 1 million employees in total, on its platform, which use Homebase to manage all manner of activities related to workers that are paid hourly, including (most recently) payroll, as well as shift scheduling, timeclocks and timesheets, hiring and onboarding, communication, and HR compliance.

John Waldmann, Homebase’s founder and CEO, said the funding will go towards both continuing to bring on more customers, as well as expand the list of services offered to them, which could include more features geared to front-line and service workers, as well as features for small businesses who might also have some “desk” workers who might still work hourly.

The common thread, Waldmann said, is not the exact nature of those jobs, but the fact that all of them, partly because of that hourly aspect, have been largely underserved by tech up to now.

“From the beginning, our mission was to help local businesses and their teams,” he said. Part of his inspiration he said came from people he knew: a childhood friend who owned an independent, expanding restaurant chain, and was going through the challenges of managing his teams there, carrying out most of his work on paper; and his sister who worked in hospitality, which didn’t look all that different from his restaurant friend’s challenges. She had to call in to see when she was working, writing her hours in a notebook to make sure she got paid accurately. 

“There are a lot of tech companies focused on making work easier for folks that sit at computers or desks, but are building tools for these others,” Waldmann said. “In the world of work, the experience just looks different with technology.”

Homebase currently is focused on the North American market — there are some 5 million small businesses in the U.S. alone, and so there is a lot of opportunity there. The huge pressure that many them have experienced in the last 18 months of Covid-19 living, leading some to shut down altogether, has also focused the mind on how to manage and carry out work much more efficiently and in a more organized way to ensure you know where your staff is, and that your staff knows what it should be doing at all times.

What will be interesting is to see what kinds of services Homebase adds to its platform over time: in a way it’s a sign of how the hourly wage workers are becoming a more sophisticated and salient aspect of the workforce, with their own unique demands. Payroll, which is now live in 27 states, also comes with pay advances, opening the door to other kinds of financial services for Homebase, for example.

“Small businesses are the lifeblood of the American economy, with more than 60% of Americans employed by one of our 30 million small businesses. In a post-pandemic world, technology has never been more important to businesses of all sizes, including SMBs,” said Jeff Richards, managing aartner at GGV Capital and new Homebase board member, in a statement. “The team at Homebase has worked tirelessly for years to bring technology to SMBs in a way that helps drive increased profitability, better hiring and growth. We’re thrilled to see Homebase playing such an important role in America’s small business recovery and thrilled to be part of the mission going forward.”

It’s interesting to see McConaughey involved in this round, given that he’s most recently made a turn towards politics, with plans to run for governor of Texas in 2022. “Hard working people who work in and run restaurants and local businesses are important to all of us,” he said in a statement. “They play an important role in giving our cities a sense of livelihood, identity, and community. This is why I’ve invested in Homebase. Homebase brings small business operations into the modern age and helps folks across the country not only continue to work harder, but work smarter.”

Blameless raises $30M to guide companies through their software lifecycle

/0 Comments/in /by

Site reliability engineering platform Blameless announced Tuesday it raised $30 million in a Series B funding round, led by Third Point Ventures with participation from Accel, Decibel and Lightspeed Venture Partners, to bring total funding to over $50 million.

Site reliability engineering (SRE) is an extension of DevOps designed for more complex environments.

Blameless, based in San Mateo, California, emerged from stealth in 2019 after raising both a seed and Series A round, totaling $20 million. Since then, it has turned its business into a blossoming software platform.

Blameless’ platform provides the context, guardrails and automated workflows so engineering teams are unified in the way they communicate and interact, especially to resolve issues quicker as they build their software systems.

It originally worked with tech-forward teams at large companies, like Home Depot, that were “dipping [their toes] into the space and now [want] to double down,” co-founder and CEO Lyon Wong told TechCrunch.

The company still works with those tech-forward teams, but in the past two years, more companies sought out resident SRE architect Kurt Anderson to advise them, causing Blameless to change up its business approach, Wong said.

Other companies are also seeing a trend of customers asking for support — for example, in March, Google Cloud unveiled its Mission Critical Services support option for SRE to serve in a similar role as a consultant as companies move toward readiness with their systems. And in February, Nobl9 raised a $21 million Series B to provide enterprises with the tools they need to build service-level-objective-centric operations, which is part of a company’s SRE efforts.

Blameless now has interest from more mainstream companies in the areas of enterprise, logistics and healthcare. These companies aren’t necessarily focused on technology, but see a need for SRE.

“Companies recognize the shortfall in reliability, and then the question they come to us with is how do they get from where they are to where they want to be,” Anderson said. “Often companies that don’t have a process respond with ‘all hands on deck’ all the time, but instead need to shift to the right people responding.”

Lyon plans to use the new funding to fill key leadership roles, the company’s go-to-market strategy and product development to enable the company to go after larger enterprises.

Blameless doubled its revenue in the last year and will expand to service all customer segments, adding small and emerging businesses to its roster of midmarket and large companies. The company also expects to double headcount in the next three quarters.

As part of the funding announcement, Third Point Ventures partner Dan Moskowitz will join Blameless’ board of directors with Wong, Accel partner Vas Natarajan and Lightspeed partner Ravi Mhatre.

“Freeing up engineering to focus on shipping code is exactly what Blameless achieves,” said Moskowitz in a written statement. “The Blameless market opportunity is big as we see teams struggle and resort to creating homegrown playbooks and point solutions that are incomplete and costly.”

Twilio CEO Jeff Lawson says wisdom lies with your developers

 

No-code Bubble raises $100M to make technical co-founders obsolete

/0 Comments/in /by

Among Silicon Valley circles, a fun parlor game is to ask to what extent world GDP levels are held back by a lack of computer science and technical training. How many startups could be built if hundreds of thousands or even millions more people could code and bring their entrepreneurial ideas to fruition? How many bureaucratic processes could be eliminated if developers were more latent in every business?

The answer, of course, is on the order of “a lot,” but the barriers to reaching this world remain formidable. Computer science is a challenging field, and despite proactive attempts by legislatures to add more coding skills into school curriculums, the reality is that the demand for software engineering vastly outstrips the supply available in the market.

Coding is not a bubble, and Bubble wants to empower the democratization of software development and the creation of new startups. Through its platform, Bubble enables anyone — coder or not — to begin building modern web applications using a click-and-drag interface that can connect data sources and other software together in one fluid interface.

It’s a bold bet — and it’s just received a bold bet as well. Bubble announced today that Ryan Hinkle of Insight Partners has led a $100 million Series A round into the company. Hinkle, a longtime managing director at the firm, specializes in growth buyout deals as well as growth SaaS companies.

If that round size seems huge, it’s because Bubble has had a long history as a bootstrapped company before reaching its current scale. Co-founders Emmanuel Straschnov and Josh Haas spent seven years bootstrapping and tinkering with the product before securing a $6.5 million seed round in June 2019 led by SignalFire. Interestingly, according to Straschnov, Insight was the first venture firm to reach out to Bubble all the way back in 2014. Seven years on, the two have now signed and closed a deal.

Bubble lets you create web applications with no coding experience

Since the seed round, Bubble has been expanding its functionality. As a no-code tool, any missing feature could potentially block an application from being built. “In our business, it’s a features game,” Straschnov said. “[Our users] are not technical, but they have high standards.” He noted that the company introduced a plugins system that allows the Bubble community to build their own additions to the platform.

Image Credits: Bubble. Its editor offers a clickable interface for designing dynamic web applications. 

As the platform matured, it happened to nail the timing of the COVID-19 pandemic last year, which saw people scrambling for new skills and improving their prospects amid a gloomy job market. Straschnov says that Bubble saw an immediate bump in usage in March and April 2020, and the company has tripled revenue over the past 12 months.

Bubble’s focus for the past eight years has been on helping people turn their ideas into startups. The company’s proposition is that a large number of even venture-backed companies could be built using Bubble without the expense of a large engineering team writing code from scratch.

Unlike other no-code tools, which focus on building internal corporate apps, Straschnov says that the company remains as focused today on these new companies as it has always been. “[We’re] not trying to move upmarket just yet — we are trying to do the same thing that AWS and Stripe did five years ago,” he said. Instead of trying to dominate the enterprise, Bubble wants to grow with its nascent customers as they expand in scale.

The company today charges a range of prices depending on the performance and scale requirements of an application. There’s a free tier, and then professional pricing starts at $25/month all the way to $475/month for its top-listed offering. Enterprise pricing is also available, as is special pricing for students.

On the latter point, Bubble is looking to invest heavily in education using its newly raised capital. While the platform is easy to use, the reality is that any design of a web application can be intimidating for a new user, particularly one who isn’t technical. So the company wants to create more videos and documentation while also heavily investing in partnerships with universities to get more students using the platform.

While the no-code space has seen prodigious investment, Straschnov said that “I don’t look at all the no-code players as competition … the true competition we have is code.” He noted that while the no-code label has been assumed by more and more startups, very few companies are focused on his company’s specific niche, and he believes he offers a compelling value proposition in that category.

The company has doubled headcount since the beginning of the pandemic, growing from around 21 employees to about 45 today. They are lightly concentrated in New York City, but the company operates remotely and has folks in 15 states as well as in France. Straschnov says that the company is looking to aggressively hire technical talent to build out the product using its new funds.

The No-Code Generation is arriving

RapidSOS learned that the best product design is sometimes no product design

/0 Comments/in /by

Sometimes, the best missions are the hardest to fund.

For the founders of RapidSOS, improving the quality of emergency response by adding useful data, like location, to 911 calls was an inspiring objective, and one that garnered widespread support. There was just one problem: How would they create a viable business?

The roughly 5,700 public safety answering points (PSAPs) in America weren’t great contenders. Cash-strapped and highly decentralized, 911 centers already spent their meager budgets on staffing and maintaining decades-old equipment, and they had few resources to improve their systems. Plus, appropriations bills in Congress to modernize centers have languished for more than a decade, a topic we’ll explore more in part four of this EC-1.

Who would pay? Who was annoyed enough with America’s antiquated 911 system to be willing to shell out dollars to fix it?

People obviously desire better emergency services — after all, they are the ones who will dial 911 and demand help someday. Yet, they never think about emergencies until they actually happen, as RapidSOS learned from the poor adoption of its Haven app we discussed in part one. People weren’t ready to pay a monthly subscription for these services in advance.

So, who would pay? Who was annoyed enough with America’s antiquated 911 system to be willing to shell out dollars to fix it?

Ultimately, the company iterated itself into essentially an API layer between the thousands of PSAPs on one side and developers of apps and consumer devices on the other. These developers wanted to include safety features in their products, but didn’t want to engineer hundreds of software integrations across thousands of disparate agencies. RapidSOS’ business model thus became offering free software to 911 call centers while charging tech companies to connect through its platform.

It was a tough road and a classic chicken-and-egg problem. Without call center integrations, tech companies wouldn’t use the API — it was essentially useless in that case. Call centers, for their part, didn’t want to use software that didn’t offer any immediate value, even if it was being given away for free.

This is the story of how RapidSOS just plowed ahead against those headwinds from 2017 onward, ultimately netting itself hundreds of millions in venture funding, thousands of call agency clients, dozens of revenue deals with the likes of Apple, Google and Uber, and partnerships with more software integrators than any startup has any right to secure. Smart product decisions, a carefully calibrated business model and tenacity would eventually lend the company the escape velocity to not just expand across America, but increasingly across the world as well.

In this second part of the EC-1, I’ll analyze RapidSOS’ current product offerings and business strategy, explore the company’s pivot from consumer app to embedded technology and take a look at its nascent but growing international expansion efforts. It offers key lessons on the importance of iterating, how to secure the right customer feedback and determining the best product strategy.

The 411 on a 911 API

It became clear from the earliest stages of RapidSOS’ journey that getting data into the 911 center would be its first key challenge. The entire 911 system — even today in most states — is built for voice and not data.

Karin Marquez, senior director of public safety at RapidSOS, who we met in the introduction, worked for decades at a PSAP near Denver, working her way up from call taker to a senior supervisor. “When I started, it was a one-man dispatch center. So, I was working alone, I was answering 911 calls, non-emergency calls, dispatching police, fire and EMS,” she said.

RapidSOS senior director of public safety Karin Marquez. Image Credits: RapidSOS

As a 911 call taker, her very first requirement for every call was figuring out where an emergency is taking place — even before characterizing what is happening. “Everything starts with location,” she said. “If I don’t know where you are, I can’t send you help. Everything else we can kind of start to build our house on. Every additional data [point] will help to give us a better understanding of what that emergency is, who may be involved, what kind of vehicle they’re involved in — but if I don’t have an address, I can’t send you help.”

Business messaging platform Gupshup raises $240 million from Tiger Global, Fidelity and others

/0 Comments/in /by

Gupshup, a business messaging platform that began its journey in India 15 years ago, surprised many when it raised $100 million in April this year, roughly 10 years after its last financing round, and attained the coveted unicorn status. Now just three months later, the San Francisco-headquartered startup has secured even more capital from high-profile investors.

On Wednesday, Gupshup said it had raised an additional $240 million as part of the same Series F financing round. The new investment was led by Fidelity Management, Tiger Global, Think Investments, Malabar Investments, Harbor Spring Capital, certain accounts managed by Neuberger Berman Investment Advisers, and White Oak.

Neeraj Arora, formerly a high-profile executive at WhatsApp who played an instrumental role in helping the messaging platform sell to Facebook, also wrote a significant check to Gupshup in the new tranche of investment, which continues to value the startup at $1.4 billion as in April.

In an interview with TechCrunch earlier this week, Beerud Sheth, co-founder and chief executive of Gupshup, said he extended the financing round after receiving too many inbound requests from investors. The new investors will provide the startup with crucial insight and expertise, he said. The round is now closed, he said.

The startup, which operates a conversational messaging platform that is used by over 100,000 businesses and developers today to build their own messaging and conversational experiences to serve their users and customers, is beginning to consider exploring the public markets by next year, said Sheth, though he cautioned a final decision is yet to be made.

“Conversation is becoming a bigger part of doing business and it has partly been driven by the pandemic,” he said over a phone call. “Second, we have always been the leader in this space, but the product innovation we have focused on in the last two to three years has worked in our favor.”

The new investment, which includes some secondary buyback (some early investors and employees are selling their stakes), will be deployed into broadening the product offerings of Gupshup, he said. The startup is also eyeing some M&A opportunities and may close some deals this year, he added.

Some of the notable customers of Gupshup, which leads the business messaging market

Before Gupshup became so popular with businesses, it existed in a different avatar. For the first six years of its existence, Gupshup was best known for enabling users in India to send group messages to friends. (These cheap texts and other clever techniques enabled tens of millions of Indians to stay in touch with one another on phones a decade ago.)

That model eventually became unfeasible to continue, Sheth told TechCrunch in an earlier interview.

“For that service to work, Gupshup was subsidizing the messages. We were paying the cost to the mobile operators. The idea was that once we scale up, we will put advertisements in those messages. Long story short, we thought as the volume of messages increases, operators will lower their prices, but they didn’t. And also the regulator said we can’t put ads in the messages,” he said earlier this year.

That’s when Gupshup decided to pivot. “We were neither able to subsidize the messages, nor monetize our user base. But we had all of this advanced technology for high-performance messaging. So we switched from consumer model to enterprise model. So we started to serve banks, e-commerce firms, and airlines that need to send high-level messages and can afford to pay for it,” said Sheth, who also co-founder freelance workplace Elance in 1998.

Over the years, Gupshup has expanded to newer messaging channels, including conversational bots and it also helps businesses set up and run their WhatsApp channels to engage with customers.

Sheth said scores of major firms worldwide in banking, e-commerce, travel and hospitality and other sectors are among the clients of Gupshup. These firms are using Gupshup to send their customers transaction information and authentication codes, among other use cases. “These are not advertising or promotional messages. These are core service information,” he said.

“We have followed Gupshup’s progress for a long while and believe that they are the most evolved customer communications platform In India and increasingly in other emerging markets, with a leadership position in the most attractive and fastest growing sub-segments of the market,” said Sumeet Nagar, Managing Director of Malabar Investments, in a statement.

“We believe that Beerud and team have the unique opportunity to expand the addressable market on the back of new offerings and scale the business up significantly, which is a perfect recipe for massive value creation. I have known Beerud for over three decades, and all of us at Malabar are delighted to partner with Gupshup in the next stage of their journey.”

Atera raises $77M at a $500M valuation to help SMBs manage their remote networks like enterprises do

/0 Comments/in /by

When it comes to software to help IT manage workers’ devices wherever they happen to be, enterprises have long been spoiled for choice — a situation that has come in especially handy in the last 18 months, when many offices globally have gone remote and people have logged into their systems from home. But the same can’t really be said for small and medium enterprises: as with so many other aspects of tech, they’ve long been overlooked when it comes to building modern IT management solutions tailored to their size and needs.

But there are signs of that changing. Today, a startup called Atera that has been building remote, and low-cost, predictive IT management solutions specifically for organizations with less than 1,000 employees, is announcing a funding round of $77 million — a sign of the demand in the market, and Atera’s own success in addressing it. The investment values Atera at $500 million, the company confirmed.

The Tel Aviv-based startup has amassed some 7,000 customers to date, managing millions of endpoints — computers and other devices connected to them — across some 90 countries, providing real-time diagnostics across the datapoints generated by those devices to predict problems with hardware, software and network, or with security issues.

Atera’s aim is to use the funding both to continue building out that customer footprint, and to expand its product — specifically adding more functionality to the AI that it currently uses (and for which Atera has been granted patents) to run predictive analytics, one of the technologies that today are part and parcel of solutions targeting larger enterprises but typically are absent from much of the software out there aimed at SMBs.

“We are in essence democratizing capabilities that exist for enterprises but not for the other half of the economy, SMBs,” said Gil Pekelman, Atera’s CEO, in an interview.

The funding is being led by General Atlantic, and it is notable for being only the second time that Atera has ever raised money — the first was earlier this year, a $25 million round from K1 Investment Management, which is also in this latest round. Before this year, Atera, which was founded in 2016, turned profitable in 2017 and then intentionally went out of profit in 2019 as it used cash from its balance sheet to grow. Through all of that, it was bootstrapped. (And it still has cash from that initial round earlier this year.)

As Pekelman — who co-founded the company with Oshri Moyal (CTO) — describes it, Atera’s approach to remote monitoring and management, as the space is typically called, starts first with software clients installed at the endpoints that connect into a network, which give IT managers the ability to monitor a network, regardless of the actual physical range, as if it’s located in a single office. Around that architecture, Atera essentially monitors and collects “datapoints” covering activity from those devices — currently taking in some 40,000 datapoints per second.

To be clear, these datapoints are not related to what a person is working on, or any content at all, but how the devices behave, and the diagnostics that Atera amasses and focuses on cover three main areas: hardware performance, networking and software performance and security. Through this, Atera’s system can predict when something might be about to go wrong with a machine, or why a network connection might not be working as it should, or if there is some suspicious behavior that might need a security-oriented response. It supplements its work in the third area with integrations with third-party security software — Bitdefender and Acronis among them — and by issuing updated security patches for devices on the network.

The whole system is built to be run in a self-service way. You buy Atera’s products online, and there are no salespeople involved — in fact most of its marketing today is done through Facebook and Google, Pekelman said, which is one area where it will continue to invest. This is one reason why it’s not really targeted larger enterprises (the others are the level of customization that would be needed; as well as more sophisticated service level agreements). But it is also the reason why Atera is so cheap: it costs $89 per month per IT technician, regardless of the number of endpoints that are being managed.

“Our constituencies are up to 1,000 employees, which is a world that was in essence quite neglected up to now,” Pekelman said. “The market we are targeting and that we care about are these smaller guys and they just don’t have tools like these today.” Since model is $89 dollars per month per technician using the software, it means that a company with 500 people with four technicians is paying $356 per month to manage their networks, peanuts in the greater scheme of IT services, and one reason why Atera has caught on as more and more employees have gone remote, and are looking like they will stay that way.

And the fact that this model is thriving is also one of the reason and investors are interested.

“Atera has developed a compelling all-in-one platform that provides immense value for its customer base, and we are thrilled to be supporting the company in this important moment of its growth trajectory,” said Alex Crisses, MD, Global Head of New Investment Sourcing and Co-Head of Emerging Growth at General Atlantic, in a statement. “We are excited to work with a category-defining Israeli company, extending General Atlantic’s presence in the country’s cutting-edge technology sector and marking our fifth investment in the region. We look forward to partnering with Gil, Oshri, and the Atera team to help the company realize its vision.”

Detecting XLoader | A macOS ‘Malware-as-a-Service’ Info Stealer and Keylogger

/0 Comments/in /by

Threat actors have come to recognize the reality that today’s organizations operate fleets of devices encompassing all the major OS vendors – Apple, Microsoft, Google and many flavors of Linux – and are adapting accordingly. Threats that can be compiled on one platform but produce executables targeting many are a productivity boon to criminals, who now operate in an increasingly competitive environment trying to sell their wares.

The latest such threat to come to attention is XLoader, a Malware-as-a-Service info stealer and keylogger that researchers say was developed out of the ashes of FormBook. Unlike its Windows-only predecessor, XLoader targets both Windows and macOS. In this post, we take an initial look at the macOS version of XLoader, describe its behavior and show how XLoader can be detected on Apple’s Mac platform.

XLoader for Mac – Java Runtime For the Steal

The macOS sample we analyzed comes as both a standalone binary and as a compiled .jar file. The .jar file appears to be distributed as an attachment in a phishing lure, such as in this document Statement SKBMT 09818.jar.

XLoader is likely distributed by mail spam

Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE with Macs over a decade ago.

Nonetheless, Java is still a common requirement in enterprise environments and is still in use for some banking applications. As a result, many organizations will have users that either do or must install the Oracle version of Java to meet these needs. As a 3rd party plugin, the Oracle JRE is installed at /Library/Internet Plug-Ins/JavaAppletPlugin.plugin.

When the malware is executed as a .jar file, the execution chain begins with the OS-provided JavaLauncher at /System/Library/CoreServices/JavaLauncher.app.

XLoader’s execution chain begins with the JavaLauncher

The JavaLauncher is also populated in the Accessibility pane in System Preferences’ Privacy tab and a dialog is popped requesting the user to grant access for automation. As we shall see below, this is likely leveraged as part of the info stealer’s functionality.

The JavaLauncher requests access to control other applications

The com.oracle.JavaInstaller will also populate the ‘Full Disk Access’ table in the same tab. This remains unchecked by default and, at least on our test, no dialog was presented to the user to request permissions.

XLoader Behavior on macOS

On execution the malware drops a 32×32 pixel Windows image file in the user’s home directory called NVFFY.ico.

A Windows icon file is dropped in the user’s home folder

The user’s default image viewer – typically the built-in Preview.app – will be launched to display this image. At this point, one could imagine that even the most unsuspecting user opening the ‘Statement SKBT’ file is going to think that something is amiss.

The .ico file as presented to the victim

It’s unclear what the malware authors were thinking here: perhaps the sample is an early development or a test sample. Alternatively, this may be a reflection of the hazards of cross-platform malware, where the author’s assumptions on the Windows platform were not fully tested on a macOS device.

In any case, no interaction is required from the user and the malware continues to drop and execute the rest of its components. This involves dropping and executing a Mach-O file in the user’s Home folder. This file, kIbwf02l, writes a hidden application bundle, also located in the victim’s Home folder, and containing a copy of itself. It then writes and loads a user LaunchAgent with a program argument pointing to the copy in the hidden app bundle. From then on, the kIbwF02l file appears to be redundant but is not cleaned up by the malware.

Example of an XLoader LaunchAgent

The label for the LaunchAgent and the names of the hidden app and executable are all randomized and vary from execution to execution. The binary is passed the argument start as a launch parameter.

The hidden application is itself a barebones bundle containing only the Info.plist and the Mach-O executable.

XLoader’s hidden application bundle

A copy of the same executable, sans bundle and with the filename kIbwf02l, is also dropped in the User’s home directory.

Analysis of the XLoader Mach-O

The compiled Mach-O executable pointed to by the persistence agent is heavily stripped and obfuscated. As the image below indicates, static analysis using tools like strings will show little, and dynamic analysis is complicated by a number of anti-debugging features.

Left: the hidden app’s Info.plist. Right: strings and symbols in the executables

For the purposes of quick triage, we extracted the stackstrings from the Mach-O using otool to get an initial idea of the info stealer’s functionality. With further processing either manually or with radare2, we can match these strings to particular functions.

Stack strings found in XLoader’s macOS version

The strings here show that XLoader attempts to steal credentials from Chrome and Firefox browsers. We also see an indication that the malware calls the NSWorkspace API to identify the front window via the Accessibility API AXTitleFocusedWindow and leverages NSPasteboard, likely to copy information from the window of the user’s currently active process. Calling Accessibility APIs requires user consent as this functionality is controlled by TCC. As noted above, the JavaLauncher has such permissions.

Other researchers have suggested that XLoader’s internet traffic is laden with decoys to disguise the actual C2 used to transmit data. As we did not observe any credential stealing traffic in our test, we cannot confirm that suspicion, but XLoader’s internet traffic is certainly ‘noisy’. We observed the malware reaching out to a variety of known phishing and malware sites.

Some of the IP addresses contacted by the XLoader malware

One of a number of malicious domains XLoader contacts (VirusTotal)

Detecting XLoader Infostealer on macOS

At the end of this post we provide a number of macOS-specific Indicators of Compromise to help organizations and users in general identify an XLoader infection. SentinelOne customers are protected against this malware automatically, regardless of whether it is executed via the Java Runtime Environment or by the standalone XLoader Mach-O.

In our test, we set the agent to ‘Detect-only’ policy in order to observe the malware’s behaviour. Customers are advised to always use the ‘Protect’ policy which prevents execution of malware entirely.

In ‘Detect-only’ mode, the target’s Mac device will immediately alert the user via Notifications:

Security teams and IT administrators, meanwhile, would see something similar to the following in the Management console.

After remediation, the UI (version 21.7EA) on the device indicates that the threat has been successfully killed and quarantined.

Conclusion

XLoader is an interesting and somewhat unusual example in the macOS malware world. It’s dependency on Java and its functionality suggests it is primarily targeting organizations where the threat actors expect Java applications to be in use. Among other things, that includes certain online banking applications, and the attractiveness from a criminal’s perspective of a keylogger and info stealer in that environment can certainly be understood. It is also worth noting that the malware’s minimum system requirement is 10.6 Snow Leopard (over 10 years old), so the author’s are certainly casting their net wide. On the other hand, the implementation on macOS is clumsy at best and is likely to raise suspicions. No doubt the malware authors will be looking to improve on this in future iterations.

Indicators of Compromise

SHA1 Hashes

XLoader Mach-O Executable: KIbwf02l
7edead477048b47d2ac3abdc4baef12579c3c348

Suspected Phishing lure attachment: Statement SKBMT 09818.jar
cf51d75ae620a06df19c1fb29739de0dc2b34915

Example Persistence LaunchAgent: com.j85H64iPLnW.rXxHYP
cb3e7ac4e2e83335421f8bbc0cf953cb820e2e27

Contacted IPs
128.65.195.232
162.0.229.244
184.168.131.241
204.11.56.48
216.239.38.21
34.102.136.180
63.250.34.223
64.190.62.111
64.32.8.70
72.29.74.90

Interesting Strings

.appMacOSContentsInfo.plist
.exe.dll
/logins.json
10.:1.1OS X XLNG:
200 OK
80987dat=&=&un=&br=&os=1
DB1ChromeURL:
guidURL: Firefox
NSStringstringWithCString:encoding:
open
passtokenemailloginsigninaccountHost: &GETPUTPOSTOPTIONSGET
r%s <</dev/null
Recovery
rm -rf
rm unzip nss3.zip -d
saltysalt
UTF8StringNSPasteboardstringForType:generalPasteboardpublic.utf8-plain-text
UTF8StringNSWorkspacesharedWorkspaceprocessIdentifierfrontmostApplicationAXTitleAXFocusedWindow

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Box unwraps its answer to the $3.8B e-signature market: Box Sign

/0 Comments/in /by

Box released its new native e-signature product Box Sign on Monday, providing e-signature capability and unlimited signatures as part of Box’s business and enterprise plans at no additional cost.

The launch comes five months after the Redwood City, California-based company agreed to acquire e-signature startup SignRequest for $55 million.

Box CEO Aaron Levie told TechCrunch the company is already securing content management for 100,000 businesses, and Box Sign represents “a breakthrough product for the company” — a new category in which Box can help customers with business processes.

“We are building out a content cloud that powers the lifecycle of content so customers can retain and manage it,” Levie said. “Everyday, there are more transactions around onboarding a customer, closing a deal or an audit, but these are still done manually. We are moving that to digital and enabling the request of signatures around the content.”

Here’s how it works: Users can send documents for e-signature directly from Box to anyone, even those without a Box account. Places for signature requests and approvals can be created anywhere on the document. All of this integrates across popular apps like Salesforce and includes email reminders and deadline notifications. As with Box’s offerings, the signatures are also secure and compliant.

The global e-signature software market was estimated to be around $1.8 billion in 2020, according to Prescient & Strategic Intelligence, while IDC expects it to grow to $3.8 billion by 2023.

Levie considers the market still early as less than one-third of organizations use e-signature due to legacy tool limitations and cost barriers, revealing massive future opportunities. However, that may be changing: Box worked with banks during the pandemic that were still relying on mailing, scanning and faxing documents to help them adapt to digital processes. It also surveyed its customers last year around product capabilities, and the No. 1 “ask” was e-signature, he said.

He mentioned major players DocuSign and Adobe Sign — two products it will continue to integrate with — among the array of technology within the space. He said that Box is not trying to compete with any player, but saw a need from customers and wanted to proceed with an option for them.

The e-signature offering also follows the hiring of Diego Dugatkin in June as Box’s new chief product officer. Prior to joining, Dugatkin was vice president of product management for Adobe Document Cloud and led strategy and execution for Adobe’s suite of products, including Adobe Sign.

“Our strategy has been for many years to expand our portfolio and power more advanced use cases, as well as a vision to have one platform to manage everything,” Levie said. “Diego has two decades of tremendous domain experience, and he will make a massive dent in powering this for us.”

In addition to the e-signature product, Box also introduced its Enterprise Plus plan that includes all of the company’s major add-ons, as well as advanced e-signature capabilities that will be available later this summer, the company said.

Aaron Levie: ‘We have way too many manual processes in businesses’

 

ActiveFence comes out of the shadows with $100M in funding and tech that detects online harm, now valued at $500M+

/0 Comments/in /by

Online abuse, disinformation, fraud and other malicious content is growing and getting more complex to track. Today, a startup called ActiveFence, which has quietly built a tech platform to suss out threats as they are being formed and planned, to make it easier for trust and safety teams to combat them on platforms, is coming out of the shadows to announce significant funding on the back of a surge of large organizations using its services.

The startup, co-headquartered in New York and Tel Aviv, has raised $100 million, funding that it will use to continue developing its tools and to continue expanding its customer base. To date, ActiveFence says that its customers include companies in social media, audio and video streaming, file sharing, gaming, marketplaces and other technologies — it has yet to disclose any specific names but says that its tools collectively cover “billions” of users. Governments and brands are two other categories that it is targeting as it continues to expand. It has been around since 2018 and is growing at around 100% annually.

The $100 million being announced today actually covers two rounds: its most recent Series B led by CRV and Highland Europe, as well as a Series A it never announced led by Grove Ventures and Norwest Venture Partners. Vintage Investment Partners, Resolute Ventures and other unnamed backers also participated. It’s not disclosing valuation but I understand it’s over $500 million.

“We are very honored to be ActiveFence partners from the very earliest days of the company, and to be part of this important journey to make the internet a safer place and see their unprecedented success with the world’s leading internet platforms,” said Lotan Levkowitz, general partner at Grove Ventures, in a statement.

The increased presence of social media and online chatter on other platforms has put a strong spotlight on how those forums are used by bad actors to spread malicious content. ActiveFence’s particular approach is a set of algorithms that tap into innovations in AI (natural language processing) and to map relationships between conversations. It crawls all of the obvious, and less obvious and harder-to-reach parts of the internet to pick up on chatter that is typically where a lot of the malicious content and campaigns are born — some 3 million sources in all — before they become higher-profile issues.  It’s built both on the concept of big data analytics as well as understanding that the long tail of content online has a value if it can be tapped effectively.

“We take a fundamentally different approach to trust, safety and content moderation,” Noam Schwartz, the co-founder and CEO, said in an interview. “We are proactively searching the darkest corners of the web and looking for bad actors in order to understand the sources of malicious content. Our customers then know what’s coming. They don’t need to wait for the damage, or for internal research teams to identify the next scam or disinformation campaign. We work with some of the most important companies in the world, but even tiny, super niche platforms have risks.”

The insights that ActiveFence gathers are then packaged up in an API that its customers can then feed into whatever other systems they use to track or mitigate traffic on their own platforms.

ActiveFence is not the only company building technology to help platform operators, governments and brands to have a better picture of what is going on in the wider online world. Factmata has built algorithms to better understand and track sentiments online; Primer (which also recently raised a big round) also uses NLP to help its customers track online information, with its customers including government organizations that used its technology to track misinformation during election campaigns; Bolster (formerly called RedMarlin) is another.

Some of the bigger platforms have also gotten more proactive in bringing tracking technology and talent in-house: Facebook acquired Bloomsbury AI several years ago for this purpose; Twitter has acquired Fabula (and is working on a bigger efforts like Birdwatch to build better tools), and earlier this year Discord picked up Sentropy, another online abuse tracker. In some cases, companies that more regularly compete against each other for eyeballs and dollars are even teaming up to collaborate on efforts.

Indeed, may well be that ultimately there will exist multiple efforts and multiple companies doing good work in this area, not unlike other corners of the world of security, which might need more than one hammer thrown at problems to crack them. In this particular case, the growth of the startup to date, and its effectiveness in identifying early warning signs, is one reason why investors have been interested in ActiveFence.

“We are pleased to support ActiveFence in this important mission” commented Izhar Armony, the lead investor from CRV, in a statement. “We believe they are ready for the next phase of growth and that they can maintain leadership in the dynamic and fast growing trust and safety market.”

“ActiveFence has emerged as a clear leader in the developing online trust and safety category. This round will help the company to accelerate the growth momentum we witnessed in the past few years,” said Dror Nahumi, general partner at Norwest Venture Partners, in a statement.