Tipalti collects $76M from Twitter alums’ 01 Advisors and more for its AI-based accounts payable solution

/0 Comments/in /by

Accounting is one of the cornerstones to building a business, but for most companies, getting it right is more of a necessity than it is one of their core competencies. That has created a vacuum, and now, a company called Tipalti — which has developed a popular solution to automate accounting for businesses that are not accounting companies by nature — has raised a significant round of funding to underscore that demand.

Today, the Israeli-Californian startup is announcing that it has picked up $76 million, money it plans to use to continue expanding the functionality of its platform and growing its business.

The funding, a Series D that brings the total raised by Tipalti to $146 million, is interesting in part because of who is providing it. Led by Zeev Ventures, it also includes backing from previous investor Group 11, along with new backers 01 Advisors, Greenspring Associates and TrueBridge Capital Partners.

In case the name doesn’t ring a bell, 01 Advisors is the new investment firm co-founded by Twitter’s former CEO and COO, Dick Costolo and Adam Bain, respectively, which started raising money only last month and appears to have disclosed one other investment before this (in the esports startup PlayVS).

01 Advisors’ interest in backing Tipalti comes from the fact that Twitter is a longtime customer of Tipalti’s, dating back to when Costolo and Bain were running things. Chen Amit, CEO and co-founder of Tipalti, told me in an interview that the social media company signed up around the time that it was going public, ramping up its revenue-generating functions (mainly advertising), and needed a strong accounts payable solution to pay suppliers and others in its ecosystem that wouldn’t break the bank and would help it track all the taxes and other areas that would now be getting thoroughly audited.

That experience, along with Tipalti’s wider track record among other fast-growing tech businesses whose business models are built on working with large networks of partners — other customers include Uber, Roku, Zumba, GoDaddy, Zola, GoPro, Foursquare and Vimeo — is what compelled Costolo and company to invest.

“While at Twitter, we chose Tipalti and they played a pivotal role in enabling us to scale and grow,” he said in a statement. “Tipalti’s platform was crucial in helping us manage payments to thousands of our publishers and partners around the world with ease, while delivering a flawless experience. Investing in Tipalti allows us to help bring the same benefits we experienced as operators to the thousands of companies that need this support.”

Tipalti’s emergence and growth comes out of an interesting climate shift in the world of startups. The accounting department is not the first thing people usually think about when they consider an exciting tech startup. Indeed, there’s a longstanding belief among some founders and their investors that certain ideas are too good to adulterate early on with thoughts of generating revenue, especially when the startup is in high-growth mode. However, when the scale does tip over into making money (way earlier for some than others), it becomes a crucial area to get right.

Tipalti sits among a number of other startups that have emerged in recent years to help handle less-sexy, but very essential, back-office functions, the kind that can cripple or even kill off a business if not handled well. Others in the group include the likes of AppZen, which has built AI-based expense auditing tools that it now wants to expand into other finance-team functions; and Gusto, which helps manage payroll and benefits.

There are also a number of companies looking to build better tools for accounts payable automation, including the likes of AccessPay (which also covers accounts receivable functions), OneSource Virtual, and MineralTree. All of the big accounting software providers will provide a degree of automation in their products, too, although Tipalti’s Amit believes that these target much larger enterprises. RPA companies that are aiming to automate all back-office functions are also potential (if not existing) competitors, too.

Tipalti’s pitch is primarily to the midmarket, which is partly why it has been a big hit with startups that are growing fast but might not yet be at the point of considering solutions built for much larger companies. The tools are able to read, process, pay and account for invoices using its automation technology, and the startup measures its effectiveness in terms of how much human work it can take on.

In fact, it describes a slightly frighteningly precise efficiency equivalent: citing research from the Levvel Research Accounts Payable Survey, the average midmarket organization has “an average of 9.8 full-time accounts payable employees.” Tipalti says that its platform can provide 80% of that workload function. (The idea being that the remaining 1.96 of humans (!) left over after Tipalti has done its magic can work on other tasks and longer need to dedicate all of their time to accounts payable procedures.)

It’s not just about reducing human overhead, though.

Amit said that some 30%-40% of its customers are gig economy businesses, with a fair number working across different international markets. That makes for a very messy accounting operation. “When you have payees all over the world, that affects you every month,” he said, adding that regulations are becoming ever more stringent on how businesses account for revenues and pay out to people, with the rise in money laundering and using assets in nefarious ways. “Regulators want more information communicated around payments, or there can be a new embargo on an entity, and so you need to change that, your banking process and who you can work with.”

The big pitch with automating companies may be that they are not aiming to take humans out of work, but to free them up to work on other things that AI cannot replace — not yet, anyway — and as an added benefit, they are helping companies reduce their operational expenses and helping them to run things better. How that will play out in the longer term could indeed be great, or it could see even more people with too much time on their hands. But in the meanwhile, Tipalti has grown by leaps and bounds. The company says it’s now processing more than $8 billion in annual transactions, with its customer and business bookings doubling in the first half of 2019.

Tipalti is not disclosing its valuation with this round, but Amit said on the back of that growth it has tripled since it last raised money.

Vista Equity Partners buys Acquia for $1B

/0 Comments/in /by

Vista Equity Partners, which likes to purchase undervalued tech companies and turn them around for a hefty profit, has purchased web content management and digital experience company Acquia in a deal valued at $1 billion.

Robert F. Smith, who is founder and chairman of Vista Equity Partners, says that increasingly brands understand that delivering a quality digital experience is essential to their success, and he sees Acquia as well-positioned in the market to help deliver that. “Acquia understands this and is leading the way in providing innovative solutions to its customers while, at the same time, giving back to the open source community,” Smith said in a statement.

Company co-founder Dries Buytaert, writing on his personal blog about the deal, reiterated that the company will continue to be a big open-source contributor after the deal goes through. “This investment should be great news for the Drupal and Mautic communities as we’ll have the right resources to compete against other solutions, and our deep commitment to Drupal, Mautic and Open Source will be unchanged. In fact, we will continue to increase our current level of investment in Open Source as we grow our business,” he wrote.

Scott Liewehr, principal analyst at Digital Clarity Group, says Vista tends to buy companies and then centralize operations so the companies can concentrate purely on growth. “Vista, as a PE firm, tends to make money on companies by standardizing their operations to cut costs. It runs the portfolio companies more like divisions of a larger company than independent entities,” Liewehr wrote in a tweet.

Tony Byrne, founder and principal analyst at Real Story Group, a firm that keeps a close eye on the digital experience market, points to Marketo as a prime example of how this works. Vista acquired Marketo in May, 2016 for $1.8 billion in cash. It applied the centralization formula and sold the company to Adobe last year for $4.75 billion, a tidy little profit for holding the company for two years, but he cautions there is no guarantee this is how it will play out.

“For customers it depends on whether Vista is looking for mid-term income or pump-up-and-exit à la Marketo. For the former, it likely means some cost-cutting and potentially staff changes. For the latter, it means more acquisitions and heavy upselling of new services — likely as precursor to long-awaited IPO,” Byrne told TechCrunch. He added, “Tough to imagine any other software firm wanting to buy Acquia, though it’s always possible.”

It’s worth noting that Ping Identity, another firm Vista purchased in 2016, is set to go public soon, so that pathway to IPO is a direction that Vista has also taken.

Acquia, which is the commercial arm for the open-source Drupal project, had raised $173.5 million, according to Crunchbase. The Drupal project was started by Buytaert in his dorm room at the University of Antwerp in 2000. Acquia launched as the project’s commercial arm in 2007.

Fivetran hauls in $44M Series B as data pipeline business booms

/0 Comments/in /by

Fivetran, a startup that helps companies move data from disparate repositories to data warehouses, announced $44 million Series B financing today, less than a year after collecting a $15 million Series A round.

Andreessen Horowitz (a16z) led the round with participation from existing investors Matrix Partners and CEAS Investments. As part of the deal, Martin Casado from a16z will join the Fivetran board. Today’s investment brings the total raised to more than $59 million, according to Crunchbase.

Company co-founder and CEO George Fraser said they raised a little sooner than expected, but they needed a cash infusion to keep up with the steady growth they have been seeing. He said the company also wanted to get the funding done while the capital markets were still strong. “If we wait four months or six months, the terms are not going to be that much better — and, who knows, there could be a recession. You never know how long the sun shines, and we had interest from some really good firms that we liked, and that’s a big factor too obviously,” he said.

He added that it’s not purely an economic decision. “We’re really happy with where we landed with Martin [Casado] joining the board and Andreessen Horowitz on the cap table, but [the economic outlook] was definitely part of our calculus.”

And Casado is happy to have invested in Fivetran. Writing in a blog post today about the investment, he sees a company that’s solving a big problem in a modern context. “Fivetran is a SaaS service that connects to the critical data sources in an organization, pulls and processes all the data, and then dumps it into a warehouse (e.g., Snowflake, BigQuery or RedShift) for SQL access and further transformations, if needed. If data is the new oil, then Fivetran is the pipes that get it from the source to the refinery,” he wrote.

He said that the company already has over 750 customers and a16z is included among them. It certainly doesn’t hurt when your lead investor uses your product.

The company was founded in 2012 and has been growing steadily. Last year it had 80 employees at the time of its Series A; today it has 175. Fraser expects that to double again over the next year, and it’s all driven by business needs. He says that over the last 12 months revenue has grown 3x.

With 150 connectors today, the company wants to continue to expand its array of data connection tools and cover more data requirements. But he says the connectors are complicated and that will take an investment in more engineering talent. Today’s announcement should help in that regard.

Fivetran announces $15M Series A to build automated data pipelines

Windows 10 now runs on over 900M devices

/0 Comments/in /by

So you thought there were 800 million Windows 10 Devices that will get Microsoft’s most recent out-of-band emergency patch? Think again. As the company announced on Twitter today, Windows 10 now runs on more than 900 million devices.

That’s a bit of bad timing, but current security issues aside, the momentum for Windows 10 clearly remains steady. Last September, Microsoft said Windows 10 was running on 700 million devices, and by March of this year, that number had gone up to 800 million. That number includes standard Windows 10 desktops and laptops, as well as the Xbox and niche devices like the Surface Hub and Microsoft’s HoloLens.

As Yusuf Mehdi, Microsoft’s corporate vice president of its Modern Life, Search and Devices group, also noted, the company added more Windows 10 devices in the last 12 months than ever before.

Come January 2020, Windows 7 is hitting the end of its (supported) life, which is likely pushing at least some users to move over to a more modern (and supported) operating system.

While those numbers for Windows 10 are clearly ticking up, Microsoft itself famously thought that Windows 10 would get to 1 billion devices by the middle of 2018. At this rate, Windows 10 will likely hit 1 billion sometime in 2020.

Microsoft urges Windows users to install emergency security patch

Meme editor Kapwing grows 10X, raises $11M

/0 Comments/in /by

Kapwing is a laymen’s Adobe Creative Suite built for what people actually do on the internet: make memes and remix media. Need to resize a video? Add text or subtitles to a video? Trim or crop or loop or frame or rotate or soundtrack or… then you need Kapwing. The free web and mobile tool is built for everyone, not just designers. No software download or tutorials to slog through. Just efficient creativity.

Kapwing Video Editor

In a year since coming out of stealth with 100,000 users, Kapwing has grown 10X, to more than 1 million. Now it going pro, building out its $20/month collaboration tools for social media managers and scrappy teams. But it won’t forget its roots with teens, so it has dropped its pay-$6-to-remove-watermarks tier while keeping its core features free.

Eager to capitalize on the meme and mobile content business, CRV has just led an $11 million Series A round for Kapwing. It’s joined by follow-on cash from Village Global, Sinai and Shasta Ventures, plus new investors Jane VC, Harry Stebbings, Vector and the Xoogler Syndicate. CRV partners “the venture twins” Justine and Olivia Moore actually met Kapwing co-founder and CEO Julia Enthoven while they all worked at The Stanford Daily newspaper in 2012.

“As a team, we love memes. We talk about internet fads almost every day at lunch and pay close attention to digital media trends,” says Enthoven, who started the company with fellow Googler Eric Lu. “One of our cultural tenets is to respect the importance of design, art and culture in the world, and another one is to not take ourselves too seriously.” But it is taking on serious clients.

As Kapwing’s toolset has grown, it has seen paying customers coming from Amazon, Sony, Netflix and Spotify. Now only 13% of what’s made with it are traditional text-plus-media memes. “Kapwing will always be designed for creators first: the students, artists, influencers, entrepreneurs, etc. who define and spread culture,” says Enthoven. “But we make money from the creative professionals, marketers, media teams and office workers who need to create content for work.”

Kapwing Tools

That’s why in addition to plenty of templates for employing the latest trending memes, Kapwing now helps Pro subscribers with permanent hosting, saving throughout the creation process and re-editing after export. Eventually it plans to sell enterprise licenses to let whole companies use Kapwing.

Kapwing Tools 1

Copycats are trying to chip away at its business, but Kapwing will use its new funding to keep up a breakneck pace of development. Pronounced “Ka-Pwing,” like a bullet ricochet, it’s trying to stay ahead of Imgflip, ILoveIMG, Imgur’s on-site tool and more robust apps like Canva.

If you’ve ever been stuck with a landscape video that won’t fit in an Instagram Story, a bunch of clips you want to stitch together or the need to subtitle something for accessibility, you’ll know the frustration of lacking a purpose-built tool. And if you’re on mobile, there are even fewer options. Unlike some software suites you have to install on a desktop, Kapwing works right from a browser.

Trending Memes Kapwing

” ‘Memes’ is such a broad category of media nowadays. It could refer to a compilation like the political singalong videos, animations like Shooting Star memes or a change in music like the AOC Dancing memes,” Enthoven explains. “Although they used to be edgy, memes have become more mainstream . . . Memes popularized new types of multimedia formats and made raw, authentic footage more acceptable on social media.”

As communication continues to shift from text to visual media, design can’t only be the domain of designers. Kapwing empowers anyone to storytell and entertain, whether out of whimsy or professional necessity. If big-name creative software from Adobe or Apple don’t simplify and offer easy paths through common use cases, they’ll see themselves usurped by the tools of the people.

Kapwing is Adobe for the meme generation

Amazon launches Amazon Care, a virtual and in-person healthcare offering for employees

/0 Comments/in /by

Amazon has gone live with Amazon Care, a new pilot healthcare service offering that is initially available to its employees in and around the Seattle area. The Amazon Care offering includes both virtual and in-person care, with telemedicine via app, chat and remote video, as well as follow-up visits and prescription drug delivery in person directly at an employee’s home or office.

First reported by CNBC, Amazon Care grew out of an initiative announced in 2018 with J.P. Morgan and Berkshire Hathaway to make a big change in how they all collectively handle their employee healthcare needs. The companies announced at the time that they were eager to put together a solution that was “free from profit-making incentives and constraints,” which are of course at the heart of private insurance companies that serve corporate clients currently.

Other large companies, like Apple, offer their own on-premise and remotely accessible healthcare services as part of their employee compensation and benefits packages, so Amazon is hardly unique in seeking to scratch this itch. The difference, however, is that Amazon Care is much more external-facing than those offered by its peers in Silicon Valley, with a brand identity and presentation that strongly suggests the company is thinking about more than its own workforce when it comes to a future potential addressable market for Care.

Screen Shot 2019 09 24 at 4.02.46 PM

The Amazon Care logo.

Care’s website also provides a look at the app that Amazon developed for the telemedicine component, which shows the flow for choosing between text chat and video, as well as a summary of care provided through the service, with invoices, diagnosis and treatment plans all available for patient review.

Amazon lists Care as an option for a “first stop,” with the ability to handle things like colds, infections, minor injuries, preventative consultations, lab work, vaccinations, contraceptives and STI testing and general questions. Basically, it sounds like they cover off a lot of what you’d handle at your general practitioner, before being recommended on for any more specialist or advanced medical treatment or expertise.

photo devicerendering.4x 9a453f4c420db36a6d32e73e7e344dec

Rendered screenshots of the Amazon Care app for Amazon employees.

Current eligibility is limited to Amazon’s employees, who are enrolled in the company’s health insurance plan, and who are located in the pilot service geographical area. The service is currently available between 8 AM and 9 PM local time from Monday through Friday, and between 8 AM and 6 PM Saturday through Sunday.

Amazon acquired PillPack last year, an online pharmacy startup, for around $753 million, and that appears to be part of their core value proposition with Amazon Care, too, which features couriered prescribed medications and remotely communicated treatment plans.

Amazon may be limiting this pilot to employees at launch, but the highly-publicized nature of their approach, and the amount of product development that clearly went into developing the initial app, user experience and brand all indicate that it has the broader U.S. market in mind as a potential expansion opportunity down the line. Recent reports also suggest that it’s going to make a play in consumer health with new wearable fitness tracking devices, which could very nicely complement insurance and health care services offered at the enterprise and individual level. Perhaps not coincidentally, Walgreens, CVS and McKesson stock were all trading down today.

Trickbot Update: Brief Analysis of a Recent Trickbot Payload

/0 Comments/in /by

Trickbot, as a malware family, dates back to 2016. In recent months we, and many others in the industry, have been observing something of an “awakening” or resurgence of widespread Trickbot campaigns. Trickbot started life as one of many specialized banking trojans. However, over the years, it has become far more robust. In many ways, Trickbot parallels the evolution of contemporary threats (such as Emotet) via its modular and expandable architecture.

In this write-up, we will focus on a recently intercepted sample of Trickbot, specifically highlighting the threat’s ongoing efforts to evade detection, and we will look at the current suite of modules installed with the analyzed sample(s).

feature image of trickbot brief analysis

Trickbot: Background and Sample Overview

Trickbot is distributed in multiple ways. It is common to see it dropped in tandem with (or, as a later stage, in) Emotet and Ryuk ransomware infections. It can also be distributed via common Exploit Kit, as well as more traditional methods such as email phishing or via drive-by download.

At the time of infection, Trickbot will typically

· Deposit configuration and supporting module data into %appdata%roaming
· Establish persistence (e.g. via a scheduled task)
· Establish secure communications (TLS) with the C2
· Attempt to update/reconfigure relevant modules
· Attempt lateral movement via the “mworm” and “share” modules

Sample Details:

Size 852.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 43e5a4836f8b53e6155ac85ca6311d2e
SHA1 989ea2e24be32348b5d3bb536c41171afdd32d64
SHA256 ddb093214e73a1014ee03924e308267281b9f383ab85ea03c3d98dfeeec38a
Original Filename MSWDAT10.DLL
Compile Time 2019-09-16 23:23:41

This particular sample was downloaded by a malicious Office document (.docm) received via a phishing email.

Following a short built-in delay (approximate 3000ms or so), the sample begins execution with the trojan dropping copies of itself into %ProgramData% and %AppData%.

As with other examples of Trickbot, the %AppData% directory will end up homing all the configuration files and encoded modules for the trojan.

In this sample, we also observe an RSA Crypto routine for decrypting resources in RoamingCryptoRSA for self protection / internal use.

Disabling Windows Defender

The sample manipulates the local policy to alter the behavior of PowerShell and Windows Defender. This specific behavior is not necessarily new to Trickbot. However, it is important to highlight this behavior to remind us of some of the “tricks” that this threat (and others) will use to increase exposure on affected hosts.

cmdline cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
cmdline cmd.exe /c powershell Set-MpPreference -DisablePrivacyMode $true
cmdline cmd.exe /c powershell Set-MpPreference -LowThreatDefaultAction 
cmdline cmd.exe /c powershell Set-MpPreference -ModerateThreatDefaultAction 
cmdline cmd.exe /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
cmdline cmd.exe /c sc delete WinDefend
cmdline cmd.exe /c sc stop WinDefend
cmdline cmd.exe /c powershell Set-MpPreference -DisableScriptScanning $true
cmdline cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
cmdline cmd.exe /c powershell Set-MpPreference -SevereThreatDefaultAction 

With PowerShell’s advanced logging features (ScriptBlock logging) we can see these events transpire.

All these commands are executed by powershell.exe via cmd.exe. The purpose of each is to chip away at the protections provided by Windows Defender / native OS controls. Each of these settings are well documented. In essence, they each function as follows:

Setting Function
DisableOAVProtection Toggles scanning of downloaded files and attachments
DisableBlockAtFirstSeen Toggles blocking of new/unknown malware upon the first instance of such
DisableIntrusionPreventionSystem Toggles network exploit prevention
DisablePrivacyMode Toggles display/availability of threat history data to other users
LowThreatDefaultAction Controls behavior on low-level threat detection
ModerateThreatDefaultAction Controls behavior on moderate-level threat detection
DisableBehaviorMonitoring Toggles Windows Defender behavioral monitoring and detection
DisableScriptScanning Toggles scanning of scripts by Windows Defender
DisableRealTimeMonitoring Toggles Windows Defender real-time detection
SevereThreatDefaultAction Controls behavior on severe threat detection

Persistence Mechanisms & Configuration

Trickbot employs multiple persistence mechanisms, including the creation of scheduled tasks. In this particular example, the trojan creates a task which is triggered upon startup and repeats every 11 minutes.


Per typical Trickbot infections, the trojan installs multiple modules and encoded configuration data in %appdata%roaming.


We see, in this example, that we have the following:

Name Function
importDll64 Browser data stealer module
injectDll64 Handles web-injects, including support for several hundred banking/financial sites
mailsearcher64 Recon module parses specific filetypes for “of interest” data
mshareDll64 Lateral movement / enumeration module via LDAP and SMB exploitation. Mshare and mworm modules work in cooperation
mwormDll64 Lateral movement / enumeration module via LDAP and SMB exploitation. Mshare and mworm modules work in cooperation
networkDll64 Recon module queries network specific environmental data
psfin64 Point-of-sale recon module
pwgrab64 Credential theft module (stored browser data)
systeminfo64 Recon module. Provides system-specific information and data to the C2
tabDll64 Credential theft module (mimikatz). Sometimes contains additional lateral movement code.

The SHA checksums for the DLL modules dropped by this sample are listed below:

Name SHA1
importDll64.dll cbd80eb5112a9560fbe7d9ce6fc0258af6415827
injectDll64.dll 452d1bd2c7108429a732f2d6c504a595989a91d8
mailsearcher64.dll 452d1bd2c7108429a732f2d6c504a595989a91d8
mshareDll64.dll 9d545c60a015a42668b33797e0274b8f7e374de9
mwormDll64.dll 1b8088f5ae6118fd948c50bf9269ba4d9ba1a781
networkDll64.dll 374b411a00f513b002902870e216e56186b8c9b8
psfin64.dll de9caa99ca6c4f7892b3b9dfb9c9747bd503d753
pwgrab64.dll 8ad57a9acfd3940f2b044c2ab7777f8d051941f0
systeminfo64.dll b8608d835faa4f5b3fe38e79c0b3a9e6a7f1811f
tabDll64.dll a6c0d73d47945bd6350bf698870aa7189e7085c7

Decoding Trickbot DLL Modules

By decoding the individual modules and their configuration/support files, we can gain further understanding on the data being targeted. The data from decoding the importdll64 module shown below is just a small fraction of the sites listed for interception by this particular module. This sample listed ~25,000 sites for targeting; however, the amount is higher than that due to the use of wildcard characters.

We can also dive into the specific web-injection attacks and targets by exploring the decoded configuration files for injectDLL64. This part of the decoded injectdll64dinj reveals a portion of the trojan’s web injects.

Here were see part of the decoded injectdll64dpost revealing the data exfiltration targets:

Part of the decoded mwormDll64 module:

Decoding the pwgrabDLL64 shows the sample’s password grabbing functionality:

SentinelOne Detection & Mitigation

SentinelOne’s advanced endpoint technology is able to prevent infection and further compromise at all stages of a Trickbot-based attack.

Through the SentinelOne Management console, we can drill deeper to see the specific flow and gather additional details. For example, below we see the Attack Story Line for a directly executed Trickbot payload.


Conclusion

Over the years, Trickbot has continued to evolve and weave itself in and out of the threat landscape. The most recent campaigns have been some of the more prolific and damaging across the history of this threat family. That being said, it can be stopped. Regardless of the delivery method (web drive-by download, phishing email, direct execution), the SentinelOne advanced endpoint solution can prevent infection and block any related malicious actions. If you’re not already protected by SentinelOne, contact us for a free demo and see how we can help autonomously protect your organization from today’s malware threats.

IOCs

PE Hash(s)
D48649f60b0b3e96fb3b077d7af00d1b1a3fefe8
989ea2e24be32348b5d3bb536c41171afdd32d64
9dbd2d9465c2013dc920100feb2112c04103fd5a

Modules
cbd80eb5112a9560fbe7d9ce6fc0258af6415827 importDll64.dll
452d1bd2c7108429a732f2d6c504a595989a91d8 injectDll64.dll
5e71926c1b704b13c42fd38f53aefed933d9c4ce mailsearcher64.dll
9d545c60a015a42668b33797e0274b8f7e374de9 mshareDll64.dll
1b8088f5ae6118fd948c50bf9269ba4d9ba1a781 mwormDll64.dll
374b411a00f513b002902870e216e56186b8c9b8 networkDll64.dll
de9caa99ca6c4f7892b3b9dfb9c9747bd503d753 psfin64.dll
8ad57a9acfd3940f2b044c2ab7777f8d051941f0 pwgrab64.dllTrick
b8608d835faa4f5b3fe38e79c0b3a9e6a7f1811f systeminfo64.dll
a6c0d73d47945bd6350bf698870aa7189e7085c7 tabDll64.dll

Network
212.80.216.142:443
170.238.117.187:8082
186.10.243.70:8082
190.119.180.226:8082
131.161.105.206:8082
103.116.84.44:8082
200.29.106.33:80
103.194.90.242:80
103.87.48.54:80
201.184.137.218:80
103.84.238.3:80
107.172.143.155:443
193.29.56.122:443
192.227.142.155:443
23.94.204.80:443
185.222.202.49:443
104.244.73.115:443

MITRE ATT&CK Trickbot
Application has registered itself to become persistent via scheduled task. MITRE: Persistence {T1084}
Shellcode execution was detected. MITRE: Execution {T1106, T1064}
PowerShell {T1086}
Process Hollowing {T1093}
Exfiltration Over Command and Control Channel {T1041}
Disabling Security Tools {T1089}

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Programmer who took down open-source pieces over Chef ICE contract responds

/0 Comments/in /by

On Friday afternoon Chef CEO Barry Crist and CTO Corey Scobie sat down with TechCrunch to defend their contract with ICE after a firestorm on social media called for them to cut ties with the controversial agency. On Sunday, programmer Seth Vargo, the man who removed his open-source components, which contributed to a partial shutdown of Chef’s commercial business for a time last week, responded.

While the Chef executives stated that the company was in fact the owner, Vargo made it clear he owned those pieces and he had every right to remove them from the repository. “Chef (the company) was including a third-party software package that I owned. It was on my personal repository on GitHub and personal namespace on RubyGems,” he said. He believes that gave him the right to remove them.

Chef CTO Corey Scobie did not agree. “Part of the challenge was that [Vargo] actually didn’t have authorization to remove those assets. And the assets were not his to begin with. They were actually created under a time when that particular individual [Vargo] was an employee of Chef. And so therefore, the assets were Chef’s assets, and not his assets to remove,” he said.

Vargo says that simply isn’t true and Chef misunderstands the licensing terms. “No OSI license or employment agreement requires me to continue to maintain code of my personal account(s). They are conflating code ownership (which they can argue they have) over code stewardship,” Vargo told TechCrunch.

As further proof, Vargo added that he has even included detailed instructions in his will on how to deal with the code he owns when he dies. “I want to make it absolutely clear that I didn’t “hack” into Chef or perform any kind of privilege escalation. The code lived in my personal accounts. Had I died on Thursday, the exact same thing would have happened. My will requests all my social media and code accounts be deleted. If I had deleted my GitHub account, the same thing would have happened,” he explained.

Vargo said that Chef actually was in violation of the open-source license when they restored those open-source pieces without putting his name on it. “Chef actually violated the Apache license by removing my name, which they later restored in response to public pressure,” he said.

Scobie admitted that the company did forget to include Vargo’s name on the code, but added it back as soon as they heard about the problem. “In our haste to restore one of the objects, we inadvertently removed a piece of metadata that identified him as the author. We didn’t do that knowingly. It was absolutely a mistake in the process of trying to restore customers and our global customer base service. And as soon as we were notified of it, we reverted that change on this specific object in question,” he said.

Vargo says, as for why he took down the open-source components, he was taking a moral stand against the contract, which dates back to the Obama administration. He also explained that he attempted to contact Chef via multiple channels before taking action. “First, I didn’t know about the history of the contract. I found out via a tweet from @shanley and subsequently verified via the USA spending website. I sent a letter and asked Chef publicly via Twitter to respond multiple times, and I was met with silence. I wanted to know how and why code in my personal repositories was being used with ICE. After no reply for 72 hours, I decided to take action,” he said.

Since then, Chef’s CEO Barry Crist has made it clear he was honoring the contract, which Vargo felt further justified his actions. “Contrary to Chef’s CEO’s publicly posted response, I do think it is the responsibility of businesses to evaluate how and for what purposes their software is being used, and to follow their moral compass,” he said.

Vargo has a long career helping build development tools and contributing to open source. He currently works for Google Cloud. Previous positions include HashiCorp and Chef.

Chef CEO says he’ll continue to work with ICE in spite of protests

Chef CEO does an about face, says company will not renew ICE contract

/0 Comments/in /by

After stating clearly on Friday that he would honor a $95,000 contract with ICE, CEO Barry Crist must have had a change of heart over the weekend. In a blog post this morning he wrote that the company would not be renewing the contract with ICE after all.

“After deep introspection and dialog within Chef, we will not renew our current contracts with ICE and CBP when they expire over the next year. Chef will fulfill our full obligations under the current contracts,” Crist wrote in the blog post.

He also backed off the seemingly firm position he took on Friday on the matter when he told TechCrunch, “It’s something that we spent a lot of time on, and I want to represent that there are portions of [our company] that do not agree with this, but I as a leader of the company, along with the executive team, made a decision that we would honor the contracts and those relationships that were formed and work with them over time,” he said.

Today, he acknowledged that intense feelings inside the company against the contract led to his decision. The contract began in 2015 under the Obama administration and was aimed at modernizing programming approaches at DHS, but over time as ICE family separation and deportation polices have come under fire, there were calls internally (and later externally) to end the contract. “Policies such as family separation and detention did not yet exist [when we started this contract]. While I and others privately opposed this and various other related policies, we did not take a position despite the recommendation of many of our employees. I apologize for this,” he wrote.

Crist also indicated that the company would be donating the revenue from the contracts to organizations that work with people who have been affected by these policies. It’s a similar approach that Salesforce took when 618 of its employees protested a contract the company has with the Customs and Border Patrol (CBP). In response to the protests, Salesforce pledged $1 million to organizations helping affected families.

After a tweet last week exposed the contract, the protests began on social media, and culminated in programmer Seth Vargo removing pieces of open-source code from the repository in protest of the contract in response. The company sounded firmly committed to fulfilling this contract in spite of the calls for action internally and externally, and the widespread backlash it was facing both inside and outside the company.

Vargo told TechCrunch in an interview that he saw this issue in moral terms, “Contrary to Chef’s CEO’s publicly posted response, I do think it is the responsibility of businesses to evaluate how and for what purposes their software is being used, and to follow their moral compass,” he said. Apparently Crist has come around to this point of view. Vargo chose not to comment on the latest development.

Programmer who took down open source pieces over Chef ICE contract responds

TechCrunch Disrupt offers plenty of options for attendees with an eye on the enterprise

/0 Comments/in /by

We might have just completed a full-day program devoted completely to enterprise at TechCrunch Sessions: Enterprise last week, but it doesn’t mean we plan to sell that subject short at TechCrunch Disrupt next month in San Francisco. In fact, we have something for everyone from startups to established public companies and everything in between along with investors and industry luminaries to discuss all-things enterprise.

SaaS companies have played a major role in enterprise software over the last decade, and we are offering a full line-up of SaaS company executives to provide you with the benefit of their wisdom. How about Salesforce chairman, co-CEO and co-founder Marc Benioff for starters? Benioff will be offering advice on how to build a socially responsible, successful startup.

If you’re interested in how to take your startup public, we’ll have Box CEO Aaron Levie, who led his company to IPO in 2015 and Jennifer Tejada, CEO at PagerDuty, who did the same just this year. The two executives will discuss the trials and tribulations of the IPO process and what happens after you finally go public.

Meanwhile, Slack co-founder and CTO Cal Henderson, another SaaS company that recently IPOed, will be discussing how to build great products with Megan Quinn from Spark Capital, a Slack investor.

Speaking of investors, Neeraj Agrawal, a general partner at Battery Ventures joins us on a panel with Whitney Bouck, COO at HelloSign and Jyoti Bansal, CEO and founder of Harness (as well as former CEO and co-founder at AppDynamics, which was acquired by Cisco in 2017 for $3.7 billion just before it was supposed to IPO). They will be chatting about what it takes to build a billion dollar SaaS business.

Not enough SaaS for you? How about Diya Jolly, Chief Product Officer at Okta discussing how to iterate your product?

If you’re interested in security, we have Dug Song from Duo, whose company was sold to Cisco in 2018 for $2.35 billion, explaining how to develop a secure startup. We will also welcome Nadav Zafrir from Israeli security incubator Team 8 to talk about the intriguing subject of when spies meet security on our main stage.

You probably want to hear from some enterprise company executives too. That’s why we are bringing Frederic Moll, chief development officer for the digital surgery group at Johnson & Johnson to talk about robots, Marillyn A. Hewson, chairman, president and CEO at Lockheed Martin discussing the space industry and Verizon CEO Hans Vestberg going over the opportunity around 5G.

We’ll also have seasoned enterprise investors, Mamoon Hamid from Kleiner Perkins and Michelle McCarthy from Verizon Ventures, acting as judges at the TechCrunch Disrupt Battlefield competition.

If that’s not enough for you, there will also be enterprise startups involved in the Battlefield and Startup Alley. If you love the enterprise, there’s something for everyone. We hope you can make it.

Still need tickets? You can pick those up right here.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-661cf9b1b8f85f5aae09b8946cafadba’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-661cf9b1b8f85f5aae09b8946cafadba’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();