Mikko missed VB2015 this year… allegedly.


On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats – September 10, 2015

“Global Cyber Threats”

In his opening statement, ranking member Adam B. Schiff commented on the purpose of the Protecting Cyber Networks Act – the US House’s version of CISA.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats Transcript – Transcript

Source: C-SPAN

Here’s the full relevant text.

House (Select) Intelligence Committee Hearing on World Wide Cyber Threats – Schiff Opening Statement


So there you have it, the purpose of CISA is “to share malware.”

Q: And should you believe that?

A: Yeah, that’s its purpose: information sharing equals sharing malware samples.

Q: Is CISA a surveillance bill?

A: No it isn’t… not from where I sit at least.

Q: But is CISA a good bill?

A: No, I don’t think so.

Q: Why?

A: Because from my point of view, CISA appears to be nothing more than corporate welfare for the military-digital complex.

Q: Will CISA become law?

A: All signs point to… yes.


CryptoWall’s “Customer Journey” Sounds Like A Real Nightmare

The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. In her words she was a “double victim!”.

CryptoWall Decrypter Service

Inna’s daughter, journalist Alina Simone, wrote about the experience in the January 2, 2015 edition of the New York Times. Both later appeared in an 8 minute segment on the April 18, 2015 airing of PBS NewsHour. But to get the full effect of Inna’s darkly humorous point of view, listen to the Radiolab story.

Here’s a screenshot of the related CryptoWall “Decrypter Service” which includes recommendations for numerous Bitcoin vendors.

CryptoWall Decrypter Service Instructions

“Although it’s not yet easy to buy bitcoins, it’s getting simpler every day.”

So, just how many people have been in the same situation as Inna? Good numbers are difficult to come by, but least 82,000 people have watched this CryptoWall Decrypter demo video.

YouTube Statistics CryptoWall Decrypter

In the image above, do you see the dip in daily views during January? Looks to me like CryptoWall took time off for Orthodox Christmas.

The amount of money CryptoWall demands varies based on location, but $500 USD seems to be fairly common. At that amount, if just 10 percent of 82,000 people pay, it’s worth 4.1 million dollars to the gang of extortionists.

Or a “little fee” as “Goldpis Isda” calls it.

Google Plus Goldpis Isda


The Dukes: 7 Years Of Russian Cyber-Espionage

The Dukes

Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making.

The Dukes (sometimes also referred to as APT29) are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS [PDF]).

Despite the extensive technical research by us and others into many of the toolsets of the Dukes, we felt that we were still missing crucial parts of the story. Meanwhile, others had envisioned how the story might look, but had concluded that “it is difficult to lead the defense against that which one is not aware of or does not comprehend.” (Maldre, 2015)

With this in mind, we recently set out on a journey back through all of our previous research on the Dukes looking for clues and threads that we might have missed or whose importance we might not have understood at the time. Through this process, we were able to uncover clues pointing to the existence of two previously unidentified Duke malware toolsets, PinchDuke and GeminiDuke.

Timeline of known activity for the various Duke toolkits.

While we had previously analyzed malware from both toolsets, what we hadn’t understood at the time was their context. With the discovery of new clues such as these two toolsets, we went rummaging through our troves of old malware searching for cases that we had previously not known to attribute to the Dukes. Through this process of proverbial connect-the-dots, we were able to slowly build a bigger, better picture of the Dukes and uncover new details of their over 7 years of activities.

The whitepaper [PDF], with all of these juicy details (plus sample hashes), is available here.

The Dukes – TLP: White

Another LinkedIn Sockpuppet

According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna.


Sr Researcher at “Head Hunter”.

I’m not so sure about that.

According to IMDb, Anna Sentina is really Anna Akana.


Anna’s IMDb profile.

Maybe LinkedIn should start charging to “verify” recruiter accounts?

At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount of cost would do two things. First, it would add value to actual recruiters. And second, it would help clean out the fakes as LinkedIn’s security team could then scrutinize the accounts of so-called recruiters who decide not to verify. Alternatively, accounts claiming to be recruiters that aren’t verified could be labeled as “unverified”.

But that’s probably not going to happen anytime soon. So for now, try to be selective with your LinkedIn connections.


Related: LinkedIn Sockpuppets Are Targeting Security Researchers

Can the “Speakularity” Be Secured?

In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity.

In Thompson’s words:

“So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, meetings. One of journalism’s most significant production challenges, even for those who don’t work at a radio company, is translating these verbal exchanges into text to weave scripts and stories out of them.”

“After the Speakularity, much more of this raw material would become available. It would render audio recordings accessible to the blind and aid in translation of audio recordings into different languages. Obscure city meetings could be recorded and auto-transcribed; interviews could be published nearly instantly as Q&As; journalists covering events could focus their attention on analyzing rather than capturing the proceedings.”

“Imagine if that capability were opened up to citizens — if every on-air utterance of every pundit, politician, or policy wonk were searchable on Google.”

But that capability wouldn’t be open to just good citizens…


Writing in the September 3rd issue of Nautilus, James Somers take a deep drive at the idea and asks, will recording every spoken word help or hurt us?

He imagines a near future in which all business meetings are transcribed as part of “The Record”.

“We are going to start recording and automatically transcribing most of what we say. Instead of evaporating into memory, words spoken aloud will calcify as text, into a Record that will be referenced, searched, and mined. It will happen by our standard combination of willing and allowing. It will happen because it can. It will happen sooner than we think.”

“It will make incredible things possible. Think of all the reasons that you search through your email. Suddenly your own speech will be available in just the same way.”

Sounds wonderful? Not so fast.

“[Consider] what it might be like to live in a society where everything is recorded. There is an episode of the British sci-fi series Black Mirror set in a world where Google Glass–style voice and video recording is ubiquitous. It is a kind of hell.”

A kind of hell. Indeed. It’s already difficult enough for people to forgive and forget. Imagine the difficulty doing so if your spoken words are immortalized.

But let’s not overreact just yet.

“Between these visions of heaven and hell lies the likely truth: When something like the Record comes along, it won’t reshape the basic ways we live and love. It won’t turn our brains to mush, or make us supermen. We will continue to be our usual old boring selves, on occasion deceitful, on occasion ingenuous. Yes, we will have new abilities—but what we want will change more slowly than what we can do.”

Yes, let’s hope.

CBC’s Spark interviews Somers here:

Something like the Speakularity is getting closer, I think. Auto-transcribing business conferencing services seem very much like something the lifeloggers among us will want to use if and when they become available. And when there are people who want to use them, somebody will build them.

So that causes me to consider this important question… can the Speakularity be secured?

It’s not difficult to imagine people discussing corporate strategy and other sensitive proprietary information indiscriminately within earshot of a microphone. After all, they already do. (Phones.) Fortunately, it’s not trivial to hack everybody’s phone and it generally requires expensive tools.

But imagine if seachable audio of personal, corporate, and government speech is just sitting somewhere in the cloud, there for the taking. Today’s data breaches could look like small potatoes by comparison.


Freedome Tracking Protection Comparison

Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites.

Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category.

Page Load Speed Comparison

Page Load Speed Comparison

As you can see, there’s quite a measurable effect on several sites; Huffington Post and USA Today loaded in half the time (2.1x faster). Conclusion: blocking trackers saves time.

And here’s a graph of size comparisons.

Page Load Size Comparison

Page Load Size Comparison

With Tracking Protection enabled, CNNMoney only loaded 1.4MB compared to 3MB. AccuWeather loaded 10.4MB compared to 17.3MB. Conclusion: blocking trackers saves bandwidth.

Happy surfing Freedome lovers!


¹ The testing was done from our Helsinki-based lab via Freedome’s Netherlands-based exit node.

Apple iOS 9 Security Features

Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements.

Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example.

iOS 9 improved security

Source: Apple

Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium.

A small change that I’ve noticed while testing iOS 9’s public beta is related to Windows¹.

This is the prompt you’ll see when connecting an iOS 9 device to a computer with iTunes installed (which includes anything running OS X).

And this is the prompt you’ll see when connecting an iOS 9 device to a (Windows) computer with no iTunes drivers installed.

iOS 9, Allow this device to access photos and videos?

Allow this device to access photos and videos?

It’s a subtle but interesting difference. Allow implies limited access, whereas trust implies something greater. There have been cross-platform malware attempts aimed at iOS in the past. With this allow prompt, a careful observer could determine when such cross-platform malware is present. If you connect your iOS 9 device to a Windows computer that you know doesn’t have iTunes installed and are asked to trust… don’t.

Another small but very welcome change that I wrote about in July is a new Safari feature.

Scam sites attempting to lock Safari into an endless loop of JavaScript alert dialogs will find their efforts foiled by Safari’s new option to “Block Alerts”.

iOS 9 Safari, Block alerts from?

Block alerts from?

All in all iOS 9 looks good. I hope to see some more security info during Apple’s event today, and I’m looking forward to iOS 9’s public release scheduled for September 16th.


¹ Testing with Kali Linux yielded a “trust” prompt.

Sofacy Recycles Carberp and Metasploit Code

1. Introduction

The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590.

If the exploit is successful, it installs a Sofacy downloader component, which is different from what we have seen before. This downloader was based on the notorious Carberp source code, which leaked out into the public domain in the summer of 2013.

1.1 Bootstrapped Firefox Add-on

Aside from zero-day exploits, we have also encountered the Carberp-based downloader deployed via other means, such as a bootstrapped Firefox add-on, during spring this year. But what is a bootstrapped add-on? According to Mozilla, it is a type of add-on that you can install and use without needing to restart the browser.

The installation of this Sofacy add-on mostly relies on social engineering. When the user visits the malicious or compromised website, they are prompted to install the add-on.

HTML5 Rendering Enhancements 1.0.

Figure 1: Sofacy HTML5 Rendering Enhancements add-on

The main code is stored in the bootstrap.js file within the add-on package. Once the add-on is activated, the JavaScript will download the Sofacy Carberp-based downloader from the following URL:


The payload will be saved locally as vmware_manager.exe.

This bootstrapped add-on technique isn’t entirely new, it has been documented since 2007, and has been used mostly by potentially unwanted applications. However, this is the first time that we have seen Sofacy use this method. Most of the code in Sofacy’s bootstrap.js file was copied directly from Metasploit, including the GUID {d0df471a-9896-4e6d-83e2-13a04ed6df33}, as well as the add-on name “HTML5 Rendering Enhancements“. Whereas, the downloading of the payload section was copied from one of Mozilla’s code snippets.

2. Technical information about the dropper and DLL

The exploit document or add-on carries a simple PE executable, which installs an embedded DLL to the system. The executable file is around 100KB in size, not packed with any file compressor, but the DLL is compressed using the standard Windows APIs and decompressed with RtlDecompressBuffer before dropped on the disk. One notable common feature appearing in all the samples we’ve seen is a temporary file named jhuhugit.temp. This filename is about the only clear text string in the EXE, most of the other strings are obfuscated with a XOR algorithm using a fixed 11-byte key. Another interesting string appearing in some of the samples is encryption key “bRS8yYQ0APq9xfzC“. This happens to be one of the fixed “main passwords” found from the Carberp source GitHub tree.

The DLL is executed with a system executable rundll32.exe, by running an export named as “init”. The DLL itself doesn’t have much functionality. It simply just sits in a loop, querying one of its fixed C2 servers every 30 minutes. We haven’t yet been able to retrieve any live payloads from the servers, but based on the code, the DLL would just execute the payloads exactly the way itself was executed in the first place. The C2 server addresses and other configuration data are obfuscated using the same 11-byte XOR key algorithm. Nothing really fancy here so far, but the same Carberp password, also used by all the DLL’s we’ve seen, got us curious enough to discover what’s the connection.

By carefully reverse engineering the DLL, it became apparent that this family is based on the Carberp source code. The code repository is not exactly the same as what can be found from GitHub, but close enough to make such claims, as we’ll see later. Features used by this Sofacy based on the Carberp sources include API resolving algorithm and code injection mechanism. Also the algorithm used for generating random URL’s is loosely based on the Carberp.

3. Comparison to Carberp source code

3.1. API resolving algorithm

In the public Carberp source code, APIs are resolved at run time using code constructs like this:

#define pLoadLibraryA   pushargEx< DLL_KERNEL32, 0xC8AC8026, 2 >

In this example, the function pLoadLibraryA is defined by another function, pushargEx, which gets the following arguments:

  • Module identifier is DLL_KERNEL32 in this example
  • Function name hash is C8AC8026, which is calculated at run time
  • Function cache index is 2

The function pushargEx has multiple definitions, including all possible amount of function arguments. Here is an example of a definition for 5 arguments:

inline LPVOID pushargEx(A a1, B a2, C a3, D a4, E a5)
    typedef LPVOID (WINAPI *newfunc)(A, B, C, D, E);
    newfunc func = (newfunc)GetProcAddressEx2( NULL, h, hash, CacheIndex );
    return func(a1, a2, a3, a4, a5);

PushargEx ends up to function GetProcAddressEx2, which locates the API function address based on the name hash and then the address is executed. The purpose of this construct is to be able to use standard Win32 API functions normally in the code, by just putting a character ‘p’ to the beginning. The resulting compiled code is not very easy to read, thus slowing down the reverse engineering process. It also has additional benefit of making the code truly position independent, which is good for code injections.

Carberp’s source tree includes a list of API hashes, and the corresponding cache indexes in a nice list like this.

Carberp API list.

Figure 2: Carberp API list

Now back to the Sofacy binary code. It is apparent from the decompiled example snippet that it uses the same hashing algorithm and index numbering.

Sofacy GetModuleHandleA

Figure 3: Sofacy GetModuleHandleA

GetModuleHandleA is just one of the many functions resolved dynamically by Sofacy. But they all fit exactly to the Carberp source code – the hashes and arguments match, as well as the indexing (see index number #43 from Figure 2).

Looking further to the API resolver, we can observe striking similarities in functions named as GetProcAddressEx and GetProcAddressEx2. Here’s a screenshot of GetProcAddressEx2 from Carberp sources and a decompiled code from Sofacy binary, side by side.

GetProcAddressEx2 from Carberp and Sofacy.

Figure 4: GetProcAddressEx2 from Carberp and Sofacy

And here’s a similar comparison for GetProcAddressEx from Carberp sources and decompiled code from a Sofacy binary.

GetProcAddressEx from Carberp and Sofacy

Figure 5: GetProcAddressEx from Carberp and Sofacy

In the decompiled code snippets, all the function names and variables have been named according to the Carberp sources on purpose, just for the sake of demonstration.

3.2. Code injection

Sofacy uses code injection for all networking code by injecting its own functions to browser processes. The processes are located using the Carberp process name hashing algorithm. The purpose of this setup is most likely to get around personal firewalls and other behavior detection systems.

The injection starts with a function named as InjectIntoProcess, which opens a process, injects code with InjectCode4 and runs it with CreateRemoteThread. Below is a snippet from Carberp.

InjectCode4 from the Carberp source.

Figure 6: InjectCode4 from the Carberp source

InjectIntoProcess and InjectCode4 from the Sofacy binary combines this functionality.

InjectIntoProcess from Sofacy

Figure 7: InjectIntoProcess from Sofacy

Figure 8: InjectCode4 from Sofacy

Figure 8: InjectCode4 from Sofacy

3.3. Mysterious Main Password

In the Carberp sources, there exists a password called as MainPassword, or RC2_Password or DebugPassword. One of the possible values of this password is “bRS8yYQ0APq9xfzC“, also used by Sofacy. The purpose of this password in Carberp is for example encrypting HTTP traffic. However, in Sofacy, it is used in quite a different manner. Sofacy has a modified algorithm for API resolution that uses the same password. In Carberp, the resolver has a clear text list of DLL names, which the index parameter in GetProcAddressEx2 refers to. In Sofacy, this list is obfuscated with a simple XOR-based algorithm, using the Carberp “main password”.

4. Conclusions

Based on the analysis presented in this blog post, it should now be evident that the new Sofacy downloader is based on Carberp source code. However, there are also some very strong differences, for example the API resolver and its use of the Carberp main password. What can we conclude about this connection? We think it means the Sofacy gang has a private source tree of Carberp source code. The use of the password for protecting DLL names in the resolver suggests that the source is more recent than what is publicly available in GitHub. Does it mean the Sofacy gang just cloned the source tree and continued development, or is it developed further by somebody else somewhere behind the scenes? That, we don’t know yet. But the Sofacy connection, in addition to recent incidents by Anunak/Carbanak (also based on Carberp) indicate that Carberp is still alive and kicking.

5. Hashes






5c3e709517f41febf03109fa9d597f2ccc495956 (decompiled code examples)

Buy Your Freedome With Cash Money

Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem.

You can buy Freedome with cash money.

Cash can buy your Freedome.

Bitcoin not required.

Let’s say you’re in Germany. Just go visit one of cyberport.de or notebooksbilliger.de‘s physical locations and pick up a box.

Freedome for sale.

Freedome (code) inside a box.

The box is available at finer retailers in several regions, Tweet at @FreedomeVPN for more info.


Today’s Best Email

Software engineers automate everything… Goodbye “Markov”!


LinkedIn Sockpuppets Are Targeting Security Researchers

Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate. Here’s an example of one so-called “recruiter” account. Areas of interest include pen testing and social engineering? You don’t say. […]


You’ve Got Robot Mail

I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery. Posti has a video of the “robottikopteri” in action on its YouTube channel. Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around […]


Trackers Are Out Of Control

Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999. And it seems like […]


Visiting INTERPOL’s New Complex

Me and Su Gim Goh from our Malaysian lab had a chance this week to visit INTERPOL’s new Global Complex for Innovation which is located in Singapore. Inside, a fleet of analysts from around the world investigate international crime – including cyber-crime. While we can’t go into details, it was nevertheless impressive to see the level of […]


Amazon Says No To Flash Ads

Flash-based malvertising has run amok lately. So it was only a matter to time before something like this was announced: “Beginning September 1, 2015, Amazon no longer accepts Flash ads on Amazon.com, AAP, and various IAB standard placements across owned and operated domains.” Amazon is doing more than banning Flash. For example… Content must only […]


It’s A Trap!

Be careful out there. Simple bait often works best… Here’s a example of some current spam with an Excel file attachment named: Payment instruction & Swift.xls The Excel file attachment contains malicious Macro programming which will attempt to download and install DarkComet RAT. F-Secure detects this attachment (and others like it) as W97M.Downloader.C. Nasty stuff. […]


About The Security Content Of iOS 8.4.1

Whenever there’s a new version of iOS, I always like to know more about the security updates. Apple Support hosts the main Apple security updates page. From there you can find the update information for iOS 8.4.1, which addresses 71 vulnerabilities. This update is not very large in file size, so all things considered, it’s […]


Malware On The Water

Never seen this before: lyrics for first verse of Deep Purple's "Smoke on the Water" embedded in a malware sample pic.twitter.com/iHlO2Ef2tl — Artturi Lehtiö (@lehtior2) August 13, 2015


Duke APT Group’s Latest Tools: Cloud Services and Linux Support

Recent weeks have seen the outing of two new additions to the Duke group’s toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it’s written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we […]