Kategorie

A vulnerability allowed researchers to brute-force any Google account's recovery phone number simply by knowing a their profile name and an easily retrieved partial phone number, creating a massive risk for phishing and SIM-swapping attacks. [...]

SentinelOne has shared more details on an attempted supply chain attack by Chinese hackers through an IT services and logistics firm that manages hardware logistics for the cybersecurity firm. [...]

AI research organization Eleuther AI has launched a massive text database, Common Pile v0.1, that can be used to train AI systems, according to Techcrunch. The 8TB database consists exclusively of publicly licensed texts, or texts that are classified as public domain.

Common Pile v0.1 was developed over two years in collaboration with Poolside, Hugging Face, the US Library of Congress and the University of Toronto, among others.

The data collection was released after concerns arose about several generative AI (genAI) companies using copyrighted material to train their models without the permission of the copyright owners. Eleuther AI was also behind the collection, The Pile, which has become a central point in the debate; it now wants to show with Common Pile v0.1 that training is possible without copyrighted material.

Common Pile v.01 was reportedly used to train the Comma v0.1-1T and Comma v0.1-2T AI models; Eluther AI claims Comma v0.1-2T performs as well as Meta’s first Llama model in terms of programming, image understanding and math. Eluther AI plans is release more open data collections in the future.

A collective of former WordPress developers and contributors backed by the Linux Foundation has launched the FAIR Package Manager, a new and independent distribution system for trusted WordPress plugins and themes. [...]

Filling the void in the few hours before WWDC begins, Apple’s machine learning team raced out of the gate with a report to make people think twice about artificial intelligence, arguing that while the intelligence is artificial, it’s only superficially smart.

Some seem to think that Apple is attempting to mask its slow progress in AI development as its competitors push ahead toward artificial general intelligence (AGI). Others warn that perhaps we should all think about these findings, given the speed with which the technology is being deployed across almost every part of our society. Are we really becoming dependent on tech that doesn’t really work and will simply repeat the prejudices of its owners?

Because that’s what you get when you use something that is basically the kind of glorified pattern matching Apple’s researchers reveal in their latest paper, “The Illusion of Thinking.”

The Illusion of Thinking

In the 32-page paper, Apple’s machine learning experts argue that despite the impressive results they can achieve, AI models aren’t actually capable of authentic reasoning, relying more on pattern matching than deduction. For its analysis, the team tested models from OpenAI, Google DeepMind, Anthropic, and DeepSeek.

“Recent generations of frontier language models have introduced Large Reasoning Models (LRMs) that generate detailed thinking processes before providing answers,” they write.“Through extensive experimentation across diverse puzzles, we show that frontier LRMs face a complete accuracy collapse beyond certain complexities. Moreover, they exhibit a counterintuitive scaling limit: their reasoning effort increases with problem complexity up to a point, then declines despite having an adequate token budget.”

They also claim that while both LRM and LLM systems are good at some things, LLM wins at low-complexity tasks, LRMs do well in medium complex tasks, and both LLM and LRM models “experience complete collapse” when handling high-complexity tasks.

“We found that LRMs have limitations in exact computation: they fail to use explicit algorithms and reason inconsistently across puzzles. We also investigate the reasoning traces in more depth, studying the patterns of explored solutions and analyzing the models’ computational behavior, shedding light on their strengths, limitations, and ultimately raising crucial questions about their true reasoning capabilities,” the researchers wrote.

It raises the critical question: are the genAI systems we think are capable of reasoning actually doing so, or have they simply been taught to appear to be reasoning, even when they aren’t.

Between AI ideas and reality, falls the shadow

To prove its point, Apple shows how existing systems can be fed irrelevant or fake data they don’t recognize, leading to failures. The inference is that while these machines are good at repeating and identifying the patterns they know, actual creative problem-solving is beyond their abilities.

AI struggles with abstraction and generalization, which means the notion we’re anywhere near AGI…, well, it’s not going to happen anytime soon.

Apple isn’t alone in warning about resisting the hype around AI. Critic Gary Marcus has been raising red flags about the true intelligence in these systems, pointing to their over-reliance on trading data. This reliance means that while we’re promised that genAI will change everything and make everything better and more productive, it probably won’t achieve anything like those promises. The gulf between promise and reality is driving many in the industry to reassess their expectations already. 

What this means, of course, is that rather than becoming reliant on these systems, it makes more sense to remain pragmatic and develop a hybrid approach, both toward AI deployment AI development. 

Hold the door

Apple would say this, I suppose. We know it is facing unexpected challenges realizing the promises it made for Apple Intelligence at WWDC last year. “We need more time to complete our work on these features, so they meet our high quality bar,” Apple CEO Tim Cook said during last month’s earnings call. “We are making progress, and we look forward to getting these features into customers’ hands.”

It’s not impossible that part of the reason Apple has delayed introduction of some AI features is quite simply because they don’t work as they should. It’s possible this reflects what Apple’s research shows, with the abilities of Apple Intelligence constrained by the same challenges its report describes. 

To some degree, Apple Intelligence doesn’t matter. What is important is that any move to bet the entire future of you or of your business on AI is doomed to fail right now, if only because at root even automated pattern matching will eventually repeat the errors of the past. In the future? Who knows — the ability to create machines with human level intelligence is evidently in process, though most humans will probably prove more a little resistant to being replaced by machines. 

In the meantime, Apple will bring us a rebranded Siri, APIs so developers can build Apple Intelligence within their apps, and more partnerships with AI providers; the final obstacle is whether Apple can evolve an iteration of AI that gives it a truly competitive edge, and how long the company can play for time to achieve that.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

Sensata Technologies is warning former and current employees it suffered a data breach after concluding an investigation into an April ransomware attack. [...]

Blue Team playbooks are essential—but tools like Wazuh take them to the next level. From credential dumping to web shells and brute-force attacks, see how Wazuh strengthens real-time detection and automated response. [...]

Blue Team playbooks are essential—but tools like Wazuh take them to the next level. From credential dumping to web shells and brute-force attacks, see how Wazuh strengthens real-time detection and automated response. [...]

United Natural Foods (UNFI), North America's largest publicly traded wholesale distributor, was forced to shut down some systems following a recent cyberattack. [...]

Seemingly harmless Chrome extensions aimed at improving browser privacy and analytics could be inadvertently leaking API keys, secrets, and other sensitive machine information.  

According to a Symantec research, several widely used Chrome extensions, including DualSafe Password Manager and Avast Online Security & Privacy extension, are exposing information either through insecure HTTP transmission or hardcoded leaks.  

Many IT leaders struggle to find the right talent for open positions, especially when new technologies appear. Yet often, tech employees already working in the organization have valuable, transferable skills, such as problem-solving, analytical thinking, project management,, the ability to communicate effectively, and even needed technical skills.  

These overlooked skills — many of them so-called “soft skills” — can help workers adapt to new tools, learn unfamiliar programming languages, or manage complex projects. By recognizing and developing these skills, IT leaders can fill gaps in their teams while helping employees advance their careers.  

IT managers can more easily spot transferable skills if they take a deliberate approach to skills-building. Rather than focusing solely on day-to-day routine work, they should think about broader skills that can help employees succeed in different roles and with new technologies, according to Jill Stefaniak, chief learning officer at Litmos. 

Those key transferable skills include coding logic, problem-solving, data analysis, project management, and communication abilities — skills that are particularly valuable as technology continues to evolve rapidly, Stefaniak said. 

[ Related: Balancing hard and soft skills: the key to high-performing IT teams ] 

To help move a tech employee into a new position, an IT manager should evaluate the employee’s skills, focusing on ones that can easily transfer, such as critical and analytical thinking, data interpretation, or familiarity with automation and control systems, said George Fironov, co-founder and CEO of Talmatic, a concierge hiring service for developers. 

“A developer skilled in one language will be able to pick up another quickly if solid training in logical thinking, algorithms, and design patterns goes into that first language,” he said.  

Computerworld spoke to IT leaders at five companies that have created successful pipelines for tapping into internal tech talent. Here are the different approaches they take to find and develop skilled tech employees who thrive in new roles. 

Redgate Software: Taking a personal, manager-led approach 

For Chris Smith, director of engineering at Redgate Software, the most valuable transferable skills include a strong eagerness to learn, empathy for customers, solid business understanding, effective collaboration and communication, and the flexibility to adapt technically when needed. 

Smith identifies transferable skills within his teams using a personal approach led by managers, instead of using formal tools such as skills charts or tests. Smith, who’s responsible for the delivery side of Redgate’s technology and software division, said his managers stay closely connected to their team members, which helps them understand what each person can do and what they’re capable of learning. 

“Managers have a close understanding of their team members’ skills through regular one-on-one meetings,” Smith said. “And then from there I collate with the insights from all our managers where people with certain technical skills are, where our gaps are in the organization, where our strengths are, and where we might be able to use them in the future.” 

Smith also conducts quarterly mini-reviews to look at each team member’s skills and determine which of those skills they might want to develop.  

“We also run an annual survey around skills that our folks fill in,” he said. “So they share where they’ve got skills and where they’ve got gaps.” 

While he doesn’t analyze this survey at an individual level, Smith said, it helps leadership see the overall skills across the IT organization. 

Smith shared an example of a long-term employee who successfully transitioned through multiple roles by leveraging transferable skills.  

The employee originally started in the product support team, a technical role that required detailed knowledge of Redgate’s products and a deep understanding of customer problems. From the product support role, the employee first moved to a test engineer position. This transition was facilitated by the employee’s technical insight, knowledge about customers, and attention to detail.  

In the test engineer role, the employee developed an interest in automated testing, which served as a pathway to coding skills. The employee then transitioned into a software engineer role, moving beyond testing into full software development. 

Through Redgate’s re-teaming process, the worker subsequently moved to a team handling internal systems, where they worked on a Salesforce migration. Leveraging their technical background and understanding of product processes, the employee successfully became a Salesforce engineer, working with technologies such as Apex and Flow. 

Lexmark: Combining formal evaluations with casual observations 

For Sudhir Mehta, global vice president, Optra products and engineering at Lexmark, transferable skills include “a growth mindset, the willingness to learn new tools, frameworks, and methodologies.”  

Mehta said he uses a multi-faceted approach to identify these transferable skills within his team members. “This approach includes a mix of formal and informal methods, starting with regular performance evaluations, one-on-one meetings, and day-to-day job-related observations,” he said. 

Engineering team members can also demonstrate their abilities through Focus to Future events, which give engineers the chance to step outside their usual roles, Mehta said. As they team up, brainstorm, and build quick prototypes, managers can see who shows strengths in areas such as leadership, problem-solving, communication, and creative thinking. These events help managers notice skills their engineers don’t usually get to show, making it easier to see who might be ready to take on new roles or bigger challenges. 

Mehta provided an example of an IT developer who successfully transitioned from working on ERP applications to a data engineering role at Lexmark. The developer possessed a strong technical background and demonstrated excellent problem-solving skills, which made him an ideal candidate for a new position leading data engineering efforts for an IoT platform solution.  

As part of his transition, he participated in Lexmark’s AI Academy to further develop his skills and capabilities. In his new role, the developer implemented innovative solutions that had a significant impact on the company’s operations.  

He created automation for data pipelines and developed a lakehouse framework that dramatically improved efficiency. The results were impressive: the new approach reduced data orchestration costs by over 65% and decreased deployment and operations costs by more than 50%, Mehta said. 

HireVue: Employing structured, standardized assessments for objectivity 

Nathan Mondragon, chief innovation officer at HireVue, highlighted critical thinking, problem-solving, collaboration, communication, and teamwork as the key transferable skills he looks for in his tech employees.  

To identify these transferable skills within his team members, Mondragon emphasized the importance of a structured and standardized approach. 

“We find the more structure and standardization you can put into that identification, the better off it is,” said Mondragon, who manages a startup team at HireVue that consists of workers from science, product, data, and engineering groups. “So [structured] performance reviews are good.” 

Mondragon said that traditional performance reviews can be subjective, with different managers interpreting transferable skills such as teamwork differently. Instead, he recommended implementing quantitative assessment methods that objectively measure soft skills and cognitive abilities. 

One of these methods is AI-based skills validation through interview assessments that test cognitive abilities such as decision-making, problem-solving, and creative thinking. AI-based assessments analyze interview responses to identify skills and behaviors based on best practices in structured interviewing, according to Mondragon.  

“The questions are designed to draw out specific skills and behaviors,” he said. “The AI analyzes what somebody says in their answer to look for those types of answers that show they’re demonstrating that skill.” 

Although this approach is primarily used for pre-hire assessments, Mondragon said it can also be used to identify transferable skills in current tech employees.  

Additionally, Mondragon said he uses a traditional question-and-answer situational simulation-type approach to identify transferable skills in his tech talent. 

“You present a scenario or a situation and ask how somebody would respond,” he said. “And those sorts of types of setups in Q&A format are a really good approach to looking at how somebody would interact with others and the types of decisions they would make. For example, do they analyze the data to make decisions?” 

By using these structured techniques, organizations can more effectively identify an employee’s problem-solving abilities, communication skills, adaptability, and potential for learning new technologies or transitioning into different roles, according to Mondragon. The goal is to move beyond subjective evaluations and create a more objective framework that clearly identifies and leverages the transferable skills that tech employees bring to their teams. 

Criteria: Using real-work observations and AI-powered feedback 

When looking to uncover transferable IT skills, Chris Daden, chief technology officer at Criteria Corp., pays the most attention to problem-solving, communication, and analytical thinking.  

“I believe that they’re just as critical as coding or security knowledge,” he said. “And I think, for example, a security analyst’s attention to detail can translate very well to a DevOps skill set, and a help desk technician’s troubleshooting mindset can help that person transition into cybersecurity.” 

Trying to identify transferable skills through traditional methods such as performance reviews doesn’t always reveal the full range of an employee’s skills, especially in IT, Daden said. 

“I find the best way to identify transferable skills is through real work, such as project observations, mentorship, and data-driven assessments,” he said. 

Additionally, Daden said, he uses AI-powered assessments that look at skills in more flexible ways, such as by analyzing interview transcripts or conversation notes, and use smart rating tools to fairly measure an employee’s potential. These methods help to show an employee’s true potential — not just what they already know or have done. 

At Criteria, Daden uses a an AI bot named Coach Bo, which engages employees in weekly conversations. This bot is programmed with each employee’s personality and skills profile and can understand unstructured feedback, helping to spot transferable skills, areas for upskilling, and possible career growth paths. 

By collecting and analyzing these ongoing interactions, the company can gain insights into employees’ critical thinking, problem-solving abilities, and adaptability across different roles, according to Daden. 

Mphasis: Identifying transferable skills through observation, not just metrics 

The qualities Srikumar Ramanathan, chief solutions officer at Mphasis, seeks in his IT team members are a strong curiosity or desire to learn, along with solid problem-solving and analytical thinking abilities. 

Ramanathan pointed out that these skills are essential in today’s fast-changing technological environment, where staying relevant means constantly learning and adapting.  

“[The desire to learn] is important because things are changing so fast that if you stop learning, you become irrelevant,” he said. “The second is, of course, problem-solving and analytical thinking. These are probably the most critical skills that one needs.” 

Ramanathan finds formal skills evaluation methods such as performance appraisals inadequate. “Performance reviews are a lag indicator. They reflect what results have been achieved”rather than current capabilities, he said.  

To truly identify key transferable skills, Ramanathan relies more on direct, day-to-day observation — watching how team members approach challenges, adapt to new developments, and contribute during meetings and projects. He noted that this real-time insight offers a more accurate picture of an individual’s learning mindset and problem-solving approach. 

“[I look at] their approaches to addressing problems or opportunities. How do they go about it? How do they adapt to new things coming on board? These are things that one has to observe on a day-to-day basis,” he said.  

Related reading: 

• How — and why — to upskill your employees 
• Just what is an ‘IT worker’ now? The definition is changing 
• AWS exec highlights key skills for success in the evolving AI-driven job market 
• The ‘Great Retraining’: IT upskills for the future 

Street smarts vs book smarts

Recently, one of our expert contributors opined that the act of writing helps to make an IT leader stronger, arguing that writing is a leadership superpower. According to CIO.com, writing conquers cognitive limits, clarifies complex thoughts, and stress-tests ideas for a decisive strategic advantage.  

This piqued the interest of readers of CIO, who were keen to ask Smart Answers about other ways in which we can learn and do better. One question in particular focused on the value of hands-on learning.  

It’s been a theme in recent years that learning on the job can be more valuable than academic learning; Smart Answers suggests that hands-on learning is crucial for IT skills because it allows individuals to demonstrate capabilities, retain knowledge, learn continuously, and build competency. 

Find out: Why is hands-on learning crucial for IT skills?  

LLMs training LLMs?

A big hit this week was Matthew Tyson’s fascinating deep dive into the rise and fall of Stack Overflow.  At one point, the internet’s senior engineer — the backstop where developers turned with problems that stymied them — Stack Overflow has declined not because AI is able to write code, but because it lost the element of human community that drove its initial growth.  

W’re proud that Smart Answers is useful because it is trained on only the content we create, every piece of which features insights from real humans working in IT. Readers of the Stack Overflow article asked our AI chatbot an important question: where do large language models (LLMs) go to get such insights if everyone acquires information from LLMs? Google Search is built on referrals to original content from publishers. But if no one is being referred, and publishers stop publishing, there will be no content on which to train LLMs.  

Smart Answers agrees: for LLMs to thrive, they need to capture information from trusted sources. It cites community platforms, open datasets, and published content. To mitigate the risks of AI feeding on AI, Smart Answers says future LLMs might need to focus on high-quality, structured data, such as textbook-quality data. And yes, we appreciate the irony of our readers asking our own LLM about this issue. 

Find out: Where will future LLMs get training data?  

SAP stick or twist

This week, we reported that nearly half of SAP ECC customers may stick with legacy ERP beyond 2027. We said that as the end of support for ECC nears, many customers continue to avoid moving to S/4HANA because of the cost and complexity of migration. And, really, what’s the harm? 

Good point. What is the harm?  

Readers of CIO.com asked Smart Answers that question. Continuing to use SAP ECC after 2027 poses several risks, according to our LLM. Running legacy ERP systems can expose customers to security and operational risks. Lack of support for third-party products can introduce security vulnerabilities. And maintenance fees can mount. 

Find out: What are the risks of staying on SAP ECC after 2027? 

About Smart Answers 

Smart Answers is an AI-based chatbot tool designed to help you discover content, answer questions, and go deep on the topics that matter to you. Each week we send you the three most popular questions asked by our readers, and the answers Smart Answers provides.  

Introduction

In May 2020, Bitdefender released a white paper containing a detailed analysis of Mandrake, a sophisticated Android cyber-espionage platform, which had been active in the wild for at least four years.

In April 2024, we discovered a suspicious sample that appeared to be a new version of Mandrake. Ensuing analysis revealed as many as five Mandrake applications, which had been available on Google Play from 2022 to 2024 with more than 32,000 installs in total, while staying undetected by any other vendor. The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment.

Our findings, in a nutshell, were as follows.

• After a two-year break, the Mandrake Android spyware returned to Google Play and lay low for two years.
• The threat actors have moved the core malicious functionality to native libraries obfuscated with OLLVM.
• Communication with command-and-control servers (C2) uses certificate pinning to prevent capture of SSL traffic.
• Mandrake is equipped with a diverse arsenal of sandbox evasion and anti-analysis techniques.

Kaspersky products detect this threat as HEUR:Trojan-Spy.AndroidOS.Mandrake.*.

Technical details Background

The original Mandrake campaign with its two major infection waves, in 2016–2017 and 2018–2020, was analyzed by Bitdefender in May 2020. After the Bitdefender report was published, we discovered one more sample associated with the campaign, which was still available on Google Play.

The Mandrake application from the previous campaign on Google Play

In April 2024, we found a suspicious sample that turned out to be a new version of Mandrake. The main distinguishing feature of the new Mandrake variant was layers of obfuscation designed to bypass Google Play checks and hamper analysis. We discovered five applications containing Mandrake, with more than 32,000 total downloads. All these were published on Google Play in 2022 and remained available for at least a year. The newest app was last updated on March 15, 2024 and removed from Google Play later that month. As at July 2024, none of the apps had been detected as malware by any vendor, according to VirusTotal.

Mandrake samples on VirusTotal

Applications Package name App name MD5 Developer Released Last updated on Google Play Downloads com.airft.ftrnsfr AirFS 33fdfbb1acdc226eb177eb42f3d22db4 it9042 Apr 28,
2022 Mar 15,
2024 30,305 com.astro.dscvr Astro Explorer 31ae39a7abeea3901a681f847199ed88 shevabad May 30,
2022 Jun 06,
2023 718 com.shrp.sght Amber b4acfaeada60f41f6925628c824bb35e kodaslda Feb 27,
2022 Aug 19,
2023 19 com.cryptopulsing.browser CryptoPulsing e165cda25ef49c02ed94ab524fafa938 shevabad Nov 02,
2022 Jun 06,
2023 790 com.brnmth.mtrx Brain Matrix – kodaslda Apr 27,
2022 Jun 06,
2023 259

Mandrake applications on Google Play

We were not able to get the APK file for com.brnmth.mtrx, but given the developer and publication date, we assume with high confidence that it contained Mandrake spyware.

Application icons

Malware implant

The focus of this report is an application named AirFS, which was offered on Google Play for two years and last updated on March 15, 2024. It had the biggest number of downloads: more than 30,000. The malware was disguised as a file sharing app.

AirFS on Google Play

According to reviews, several users noticed that the app did not work or stole data from their devices.

Application reviews

Infection chain

Like the previous versions of Mandrake described by Bitdefender, applications in the latest campaign work in stages: dropper, loader and core. Unlike the previous campaign where the malicious logic of the first stage (dropper) was found in the application DEX file, the new versions hide all the first-stage malicious activity inside the native library libopencv_dnn.so, which is harder to analyze and detect than DEX files. This library exports functions to decrypt the next stage (loader) from the assets/raw folder.

Contents of the main APK file

Interestingly, the sample com.shrp.sght has only two stages, where the loader and core capabilities are combined into one APK file, which the dropper decrypts from its assets.

While in the past Mandrake campaigns we saw different branches (“oxide”, “briar”, “ricinus”, “darkmatter”), the current campaign is related to the “ricinus” branch. The second- and third-stage files are named “ricinus_airfs_3.4.0.9.apk”, “ricinus_dropper_core_airfs_3.4.1.9.apk”, “ricinus_amber_3.3.8.2.apk” and so on.

When the application starts, it loads the native library:

Loading the native library

To make detection harder, the first-stage native library is heavily obfuscated with the OLLVM obfuscator. Its main goal is to decrypt and load the second stage, named “loader“. After unpacking, decrypting and loading into memory the second-stage DEX file, the code calls the method dex_load and executes the second stage. In this method, the second-stage native library path is added to the class loader, and the second-stage main activity and service start. The application then shows a notification that asks for permission to draw overlays.

When the main service starts, the second-stage native library libopencv_java3.so is loaded, and the certificate for C2 communications, which is placed in the second-stage assets folder, is decrypted. The treat actors used an IP address for C2 communications, and if the connection could not be established, the malware tried to connect to more domains. After successfully connecting, the app sends information about the device, including the installed applications, mobile network, IP address and unique device ID, to the C2. If the threat actors find their target relevant on the strength of that data, they respond with a command to download and run the “core” component of Mandrake. The app then downloads, decrypts and executes the third stage (core), which contains the main malware functionality.

Second-stage commands: Command Description start Start activity cup Set wakelock, enable Wi-Fi, and start main parent service cdn Start main service stat Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version apps Report installed applications accounts Report user accounts battery Report battery percentage home Start launcher app hide Hide launcher icon unload Restore launcher icon core Start core loading clean Remove downloaded core over Request “draw overlays” permission opt Grant the app permission to run in the background Third stage commands: Command Description start Start activity duid Change UID cup Set wakelock, enable Wi-Fi, and start main parent service cdn Start main service stat Collect information about connectivity status, battery optimization, “draw overlays” permission, adb state, external IP, Google Play version apps Report installed applications accounts Report user accounts battery Report battery percentage home Start launcher app hide Hide launcher icon unload Restore launcher icon restart Restart application apk Show application install notification start_v Load an interactive webview overlay with a custom implementation of screen sharing with remote access, commonly referred to by the malware developers “VNC” start_a Load webview overlay with automation stop_v Unload webview overlay start_i, start_d Load webview overlay with screen record stop_i Stop webview overlay upload_i, upload_d Upload screen record over Request “draw overlays” permission opt Grant the app permission to run in the background

When Mandrake receives a start_v command, the service starts and loads the specified URL in an application-owned webview with a custom JavaScript interface, which the application uses to manipulate the web page it loads.

While the page is loading, the application establishes a websocket connection and starts taking screenshots of the page at regular intervals, while encoding them to base64 strings and sending these to the C2 server. The attackers can use additional commands to adjust the frame rate and quality. The threat actors call this “vnc_stream”.  At the same time, the C2 server can send back control commands that make application execute actions, such as swipe to a given coordinate, change the webview size and resolution, switch between the desktop and mobile page display modes, enable or disable JavaScript execution, change the User Agent, import or export cookies, go back and forward, refresh the loaded page, zoom the loaded page and so on.

When Mandrake receives a start_i command, it loads a URL in a webview, but instead of initiating a “VNC” stream, the C2 server starts recording the screen and saving the record to a file. The recording process is similar to the “VNC” scenario, but screenshots are saved to a video file. Also in this mode, the application waits until the user enters their credentials on the web page and then collects cookies from the webview.

The start_a command allows running automated actions in the context of the current page, such as swipe, click, etc. If this is the case, Mandrake downloads automation scenarios from the URL specified in the command options. In this mode, the screen is also recorded.

Screen recordings can be uploaded to the C2 with the upload_i or upload_d commands.

The main goals of Mandrake are to steal the user’s credentials, and download and execute next-stage malicious applications.

Data decryption methods

Data encryption and decryption logic is similar across different Mandrake stages. In this section, we will describe the second-stage data decryption methods.

The second-stage native library libopencv_java3.so contains AES-encrypted C2 domains, and keys for configuration data and payload decryption. Encrypted strings are mixed with plain text strings.

To get the length of the string, Mandrake XORs the first three bytes of the encrypted array, then uses the first two bytes of the array as keys for custom XOR encoding.

Strings decryption algorithm

The key and IV for decrypting AES-encrypted data are encoded in the same way, with part of the data additionally XORed with constants.

AES key decryption

Mandrake uses the OpenSSL library for AES decryption, albeit in quite a strange way. The encrypted file is divided into 16-byte blocks, each of these decrypted with AES-CFB128.

The encrypted certificate for C2 communication is located in the assets/raw folder of the second stage as a file named cart.raw, which is decrypted using the same algorithm.

Installing next-stage applications

When Mandrake gets an apk command from the C2, it downloads a new separate APK file with an additional module and shows the user a notification that looks like something they would receive from Google Play. The user clicking the notification initiates the installation process.

Android 13 introduced the “Restricted Settings” feature, which prohibits sideloaded applications from directly requesting dangerous permissions. To bypass this feature, Mandrake processes the installation with a “session-based” package installer.

Installing additional applications

Sandbox evasion techniques and environment checks

While the main goal of Mandrake remains unchanged from past campaigns, the code complexity and quantity of the emulation checks have significantly increased in recent versions to prevent the code from being executed in environments operated by malware analysts. However, we were able to bypass these restrictions and discovered the changes described below.

The versions of the malware discovered earlier contained only a basic emulation check routine.

Emulator checks in an older Mandrake version

In the new version, we discovered more checks.

To start with, the threat actors added Frida detection. When the application starts, it loads the first-stage native library libopencv_dnn.so. The init_array section of this library contains the Frida detector function call. The threat actors used the DetectFrida method. First, it computes the CRC of all libraries, then it starts a Frida detect thread. Every five seconds, it checks that libraries in memory have not been changed. Additionally, it checks for Frida presence by looking for specific thread and pipe names used by Frida. So, when an analyst tries to use Frida against the application, execution is terminated. Even if you use a custom build of Frida and try to hook a function in the native library, the app detects the code change and terminates.

Next, after collecting device information to make a request for the next stage, the application checks the environment to find out if the device is rooted and if there are analyst tools installed. Unlike some other threat actors who seek to take advantage of root access, Mandrake developers consider a rooted device dangerous, as average users, their targets, do not typically root their phones. First, Mandrake tries to find a su binary, a SuperUser.apk, Busybox or Xposed framework, and Magisk and Saurik Substrate files. Then it checks if the system partition is mounted as read-only. Next, it checks if development settings and ADB are enabled. And finally, it checks for the presence of a Google account and Google Play application on the device.

C2 communication

All C2 communications are maintained via the native part of the applications, using an OpenSSL static compiled library.

To prevent network traffic sniffing, Mandrake uses an encrypted certificate, decrypted from the assets/raw folder, to secure C2 communications. The client needs to be verified by this certificate, so an attempt to capture SSL traffic results in a handshake failure and a breakdown in communications. Still, any packets sent to the C2 are saved locally for additional AES encryption, so we are able to look at message content. Mandrake uses a custom JSON-like serialization format, the same as in previous campaigns.

Example of a C2 request:

node #1 { uid "a1c445f10336076b"; request "1000"; data_1 "32|3.1.1|HWLYO-L6735|26202|de||ricinus_airfs_3.4.0.9|0|0|0||0|0|0|0|Europe/Berlin||180|2|1|41|115|0|0|0|0|loader|0|0|secure_environment||0|0|1|0||0|85.214.132.126|0|1|38.6.10-21 [0] [PR] 585796312|0|0|0|0|0|"; data_2 "loader"; dt 1715178379; next #2; } node #2 { uid "a1c445f10336076b"; request "1010"; data_1 "ricinus_airfs_3.4.0.9"; data_2 ""; dt 1715178377; next #3; } node #3 { uid "a1c445f10336076b"; request "1003"; data_1 "com.airft.ftrnsfr\n\ncom.android.calendar\n\[redacted]\ncom.android.stk\n\n"; data_2 ""; dt 1715178378; next NULL; }

Example of a C2 response:

node #1 { response "a1c445f10336076b"; command "1035"; data_1 ""; data_2 ""; dt "0"; next #2; } node #2 { response "a1c445f10336076b"; command "1022"; data_1 "20"; data_2 "1"; dt "0"; next #3; } node #3 { response "a1c445f10336076b"; command "1027"; data_1 "1"; data_2 ""; dt "0"; next #4; } node #4 { response "a1c445f10336076b"; command "1010"; data_1 "ricinus_dropper_core_airfs_3.4.1.9.apk"; data_2 "60"; dt "0"; next NULL; }

Mandrake uses opcodes from 1000 to 1058. The same opcode can represent different actions depending on whether it is used for a request or a response. See below for examples of this.

• Request opcode 1000: send device information;
• Request opcode 1003: send list of installed applications;
• Request opcode 1010: send information about the component;
• Response opcode 1002: set contact rate (client-server communication);
• Response opcode 1010: install next-stage APK;
• Response opcode 1011: abort next-stage install;
• Response opcode 1022: request user to allow app to run in background;
• Response opcode 1023: abort request to allow app to run in background;
• Response opcode 1027: change application icon to default or Wi-Fi service icon.

Attribution

Considering the similarities between the current campaign and the previous one, and the fact that the C2 domains are registered in Russia, we assume with high confidence that the threat actor is the same as stated in the Bitdefender’s report.

Victims

The malicious applications on Google Play were available in a wide range of countries. Most of the downloads were from Canada, Germany, Italy, Mexico, Spain, Peru and the UK.

Conclusions

The Mandrake spyware is evolving dynamically, improving its methods of concealment, sandbox evasion and bypassing new defense mechanisms. After the applications of the first campaign stayed undetected for four years, the current campaign lurked in the shadows for two years, while still available for download on Google Play. This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces.

Indicators of Compromise

File Hashes
141f09c5d8a7af85dde2b7bfe2c89477
1b579842077e0ec75346685ffd689d6e
202b5c0591e1ae09f9021e6aaf5e8a8b
31ae39a7abeea3901a681f847199ed88
33fdfbb1acdc226eb177eb42f3d22db4
3837a06039682ced414a9a7bec7de1ef
3c2c9c6ca906ea6c6d993efd0f2dc40e
494687795592106574edfcdcef27729e
5d77f2f59aade2d1656eb7506bd02cc9
79f8be1e5c050446927d4e4facff279c
7f1805ec0187ddb54a55eabe3e2396f5
8523262a411e4d8db2079ddac8424a98
8dcbed733f5abf9bc5a574de71a3ad53
95d3e26071506c6695a3760b97c91d75
984b336454282e7a0fb62d55edfb890a
a18a0457d0d4833add2dc6eac1b0b323
b4acfaeada60f41f6925628c824bb35e
cb302167c8458e395337771c81d5be62
da1108674eb3f77df2fee10d116cc685
e165cda25ef49c02ed94ab524fafa938
eb595fbcf24f94c329ac0e6ba63fe984
f0ae0c43aca3a474098bd5ca403c3fca

Domains and IPs
45.142.122[.]12
ricinus[.]ru
ricinus-ca[.]ru
ricinus-cb[.]ru
ricinus-cc[.]ru
ricinus[.]su
toxicodendron[.]ru

Introduction

Bulk phishing email campaigns tend to target large audiences. They use catch-all wordings and simplistic formatting, and typos are not uncommon. Targeted attacks take greater effort, with attackers sending personalized messages that include personal details and might look more like something you’d get from your employer or a customer. Adopting that approach on a larger scale is a pricey endeavor. Yet, certain elements of spear phishing recently started to be used in regular mass phishing campaigns. This story looks at some real-life examples that illustrate the trend.

Spear phishing vs. mass phishing

Spear phishing is a type of attack that targets a specific individual or small group. Phishing emails like that feature information about the victim, and they tend to copy, both textually and visually, the style used by the company that they pretend to be from. They’re not easy to see for what they are: the attackers avoid errors in technical headers and don’t use email tools that could get them blocked, such as open email relays or bulletproof hosting services included in blocklists, such as DNS-based blocklist (DNSBL).

By contrast, mass phishing campaigns are designed for a large number of recipients: the messages are generalized in nature, they are not addressed to a specific user and do not feature the name of the addressee’s company or any other personalized details. Typos, mistakes and poor design are all common. Today’s AI-powered editing tools help attackers write better, but the text and formatting found in bulk email is still occasionally substandard. There is no structure to who gets targeted: attackers run their campaigns across entire databases of email addresses available to them. It’s a one-size-fits-all message inside: corporate discounts, security alerts from popular services, issues with signing in and the like.

Attacks evolving: real-life examples

Unlike other types of email phishing, spear phishing was never a tool for mass attacks. However, as we researched user requests in late 2023, we spotted an anomaly in how detections were distributed statistically. A lot of the emails that we found were impossible to pigeonhole as either targeted or mass-oriented. They boasted a quality design, personalized details of the targeted company and styling that imitated HR notifications. Still the campaigns were too aggressive and sent on too mass a scale to qualify as spear phishing.

An HR phishing email message: the body references the company, the recipient is addressed by their name, and the content is specialized enough so as to feel normal to a vigilant user

Besides, the message linked to a typical fake Outlook sign-in form. The form was not customized to reflect the target company’s style – a sure sign of bulk phishing.

The phishing sign-in form that opened when the user clicked the link in the email

Another similar campaign uses so-called ghost spoofing, a type of spoofing that adds a real corporate email address to the sender’s name, but does not hide or modify the actual domain. The technique sees increasing use in targeted attacks, but it’s overkill for mass phishing.

An HR phishing email message that uses ghost spoofing: the sender’s name contains the HR team’s email address, lending an air of authenticity to the email

As in the previous example, the phishing link in the email doesn’t have any unique features that a spear phishing link would. The sign-in form that opens contains no personalized details, while the design looks exactly like many other forms of this kind. It is hosted on an IPFS service like those often used in mass attacks.

The IPFS phishing sign-in form

Statistics

The number of mixed phishing emails, March-May, 2024 (download)

We detected a substantial increase in the number of those mixed attacks in March through May 2024. First and foremost, this is a sign that tools used by attackers are growing in complexity and sophistication. Today’s technology lowers the cost of launching personalized attacks at scale. AI-powered tools can style the email body as an official HR request, fix typos and create a clean design. We have also observed a proliferation of third-party spear phishing services. This calls for increased vigilance on the part of users and more robust corporate security infrastructure.

Takeaways

Attackers are increasingly adopting spear phishing methods and technology in their bulk phishing campaigns: emails they send are growing more personalized, and the range of their spoofing technologies and tactics is expanding. These are still mass email campaigns and as such present a potential threat. This calls for safeguards that keep up with the pace of advances in technology while combining sets of methods and services to combat each type of phishing.

To fend off email attacks that combine spear and mass phishing elements:

• Pay attention to the sender’s address and the actual email domain: in an official corporate email, these must match.
• If something smells phishy, ask the sender to clarify, but don’t just reply to the email: use a different communication channel.
• Hold regular awareness sessions for your team to educate them about email phishing.
• Use advanced security solutions that incorporate anti-spam filtering and protection.

Detection is a traditional type of cybersecurity control, along with blocking, adjustment, administrative and other controls. Whereas before 2015 teams asked themselves what it was that they were supposed to detect, as MITRE ATT&CK evolved, SOCs were presented with practically unlimited space for ideas on creating detection scenarios.

With the number of scenarios becoming virtually unlimited, another question inevitably arises: “What do we detect first?” This and the fact that SOC teams forever play the long game, having to respond with limited resources to a changing threat landscape, evolving technology and increasingly sophisticated malicious actors, makes managing efforts to develop detection logic an integral part of any modern SOC’s activities.

The problem at hand is easy to put into practical terms: the bulk of the work done by any modern SOC – with the exception of certain specialized SOC types – is detecting, and responding to, information security incidents. Detection is directly associated with preparation of certain algorithms, such as signatures, hard-coded logic, statistical anomalies, machine learning and others, that help to automate the process. The preparation consists of at least two processes: managing detection scenarios and developing detection logic. These cover the life cycle, stages of development, testing methods, go-live, standardization, and so on. These processes, like any others, require certain inputs: an idea that describes the expected outcome at least in abstract terms.

This is where the first challenges arise: thanks to MITRE ATT&CK, there are too many ideas. The number of described techniques currently exceeds 200, and most are broken down into several sub-techniques – MITRE T1098 Account Manipulation, for one, contains six sub-techniques – while SOC’s resources are limited. Besides, SOC teams likely do not have access to every possible source of data for generating detection logic, and some of those they do have access to are not integrated with the SIEM system. Some sources can help with generating only very narrowly specialized detection logic, whereas others can be used to cover most of the MITRE ATT&CK matrix. Finally, certain cases require activating extra audit settings or adding selective anti-spam filtering. Besides, not all techniques are the same: some are used in most attacks, whereas others are fairly unique and will never be seen by a particular SOC team. Thus, setting priorities is both about defining a subset of techniques that can be detected with available data and about ranking the techniques within that subset to arrive at an optimized list of detection scenarios that enables detection control considering available resources and in the original spirit of MITRE ATT&CK: discovering only some of the malicious actor’s atomic actions is enough for detecting the attack.

A slight detour. Before proceeding to specific prioritization techniques, it is worth mentioning that this article looks at options based on tools built around the MITRE ATT&CK matrix. It assesses threat relevance in general, not in relation to specific organizations or business processes. Recommendations in this article can be used as a starting point for prioritizing detection scenarios. A more mature approach must include an assessment of a landscape that consists of security threats relevant to your particular organization, an allowance for your own threat model, an up-to-date risk register, and automation and manual development capabilities. All of this requires an in-depth review, as well as liaison between various processes and roles inside your SOC. We offer more detailed maturity recommendations as part of our SOC consulting services.

MITRE Data Sources

Optimized prioritization of the backlog as it applies to the current status of monitoring can be broken down into the following stages:

• Defining available data sources and how well they are connected;
• Identifying relevant MITRE ATT&CK techniques and sub-techniques;
• Finding an optimal relation between source status and technique relevance;
• Setting priorities.

A key consideration in implementing this sequence of steps is the possibility of linking information that the SOC receives from data sources to a specific technique that can be detected with that information. In 2021, MITRE completed its ATT&CK Data Sources project, its result being a methodology for describing a data object that can be used for detecting a specific technique. The key elements for describing data objects are:

• Data Source: an easily recognizable name that defines the data object (Active Directory, application log, driver, file, process and so on);
• Data Components: possible data object actions, statuses and parameters. For example, for a file data object, data components are file created, file deleted, file modified, file accessed, file metadata, and so on.

MITRE Data Sources

Virtually every technique in the MITRE ATT&CK matrix currently contains a Detection section that lists data objects and relevant data components that can be used for creating detection logic. A total of 41 data objects have been defined at the time of publishing this article.

MITRE most relevant data components

The column on the far right in the image above (Event Logs) illustrates the possibilities of expanding the methodology to cover specific events received from real data sources. Creating a mapping like this is not one of the ATT&CK Data Sources project goals. This Event Logs example is rather intended as an illustration. On the whole, each specific SOC is expected to independently define a list of events relevant to its sources, a fairly time-consuming task.

To optimize your approach to prioritization, you can start by isolating the most frequent data components that feature in most MITRE ATT&CK techniques.

The graph below presents the up-to-date top 10 data components for MITRE ATT&CK matrix version 15.1, the latest at the time of writing this.

The most relevant data components (download)

For these data components, you can define custom sources for the most results. The following will be of help:

• Expert knowledge and overall logic. Data objects and data components are typically informative enough for the engineer or analyst working with data sources to form an initial judgment on the specific sources that can be used.
• Validation directly inside the event collection system. The engineer or analyst can review available sources and match events with data objects and data components.
• Publicly available resources on the internet, such as Sensor Mappings to ATT&CK, a project by the Center for Threat-Informed Defense, or this excellent resource on Windows events: UltimateWindowsSecurity.

That said, most sources are fairly generic and typically connected when a monitoring system is implemented. In other words, the mapping can be reduced to selecting those sources which are connected in the corporate infrastructure or easy to connect.

The result is an unranked list of integrated data sources that can be used for developing detection logic, such as:

• For Command Execution: OS logs, EDR, networked device administration logs and so on;
• For Process Creation: OS logs, EDR;
• For Network Traffic Content: WAF, proxy, DNS, VPN and so on;
• For File Modification: DLP, EDR, OS logs and so on.

However, this list is not sufficient for prioritization. You also need to consider other criteria, such as:

• The quality of source integration. Two identical data sources may be integrated with the infrastructure differently, with different logging settings, one source being located only in one network segment, and so on.
• Usefulness of MITRE ATT&CK techniques. Not all techniques are equally useful in terms of optimization. Some techniques are more specialized and aimed at detecting rare attacker actions.
• Detection of the same techniques with several different data sources (simultaneously). The more options for detecting a technique have been configured, the higher the likelihood that it will be discovered.
• Data component variability. A selected data source may be useful for detecting not only those techniques associated with the top 10 data components but others as well. For example, an OS log can be used for detecting both Process Creation components and User Account Authentication components, a type not mentioned on the graph.

Prioritizing with DeTT&CT and ATT&CK Navigator

Now that we have an initial list of data sources available for creating detection logic, we can proceed to scoring and prioritization. You can automate some of this work with the help of DeTT&CT, a tool created by developers unaffiliated with MITRE to help SOCs with using MITRE ATT&CK for scoring and comparing the quality of data sources, coverage and detection scope according to MITRE ATT&CK techniques. The tool is available under the GPL-3.0 license.

DETT&CT supports an expanded list of data sources as compared to the MITRE model. This list is implemented by design and you do not need to redefine the MITRE matrix itself. The expanded model includes several data components, which are parts of MITRE’s Network Traffic component, such as Web, Email, Internal DNS, and DHCP.

You can install DETT&CT with the help of two commands: git clone and pip install -r. This gives you access to DETT&CT Editor: a web interface for describing data sources, and DETT&CT CLI for automated analysis of prepared input data that can help with prioritizing detection logic and more.

The first step in identifying relevant data sources is describing these. Go to Data Sources in DETT&CT Editor, click New file and fill out the fields:

• Domain: the version of the MITRE ATT&CK matrix to use (enterprise, mobile or ICS).
• This field is not used in analytics; it is intended for distinguishing between files with the description of sources.
• Systems: selection of platforms that any given data source belongs to. This helps to both separate platforms, such as Windows and Linux, and specify several platforms within one system. Going forward, keep in mind that a data source is assigned to a system, not a platform. In other words, if a source collects data from both Windows and Linux, you can leave one system with two platforms, but if one source collects data from Windows only, and another, from Linux only, you need to create two systems: one for Windows and one for Linux.

After filling out the general sections, you can proceed to analyzing data sources and mapping to the MITRE Data Sources. Click Add Data Source for each MITRE data object and fill out the relevant fields. Follow the link above for a detailed description of all fields and example content on the project page. We will focus on the most interesting field: Data quality. It describes the quality of data source integration as determined according to five criteria:

• Device completeness. Defines infrastructure coverage by the source, such as various versions of Windows or subnet segments, and so on.
• Data field completeness. Defines the completeness of data in events from the source. For example, information about Process Creation may be considered incomplete if we see that a process was created, but not the details of the parent process, or for Command Execution, we see the command but not the arguments, and so on.
• Defines the presence of a delay between the event happening and being added to a SIEM system or another detection system.
• Defines the extent to which the names of the data fields in an event from this source are consistent with standard naming.
• Compares the period for which data from the source is available for detection with the data retention policy defined for the source. For instance, data from a certain source is available for one month, whereas the policy or regulatory requirements define the retention period as one year.

A detailed description of the scoring system for filling out this field is available in the project description.

It is worth mentioning that at this step, you can describe more than just the top 10 data components that cover the majority of the MITRE ATT&CK techniques. Some sources can provide extra information: in addition to Process Creation, Windows Security Event Log provides data for User Account Authentication. This extension will help to analyze the matrix without limitations in the future.

After describing all the sources on the list defined earlier, you can proceed to analyze these with reference to the MITRE ATT&CK matrix.

The first and most trivial analytical report identifies the MITRE ATT&CK techniques that can be discovered with available data sources one way or another. This report is generated with the help of a configuration file with a description of data sources and DETT&CT CLI, which outputs a JSON file with MITRE ATT&CK technique coverage. You can use the following command for this:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -l

The resulting JSON is ready to be used with the MITRE ATT&CK matrix visualization tool, MITRE ATT&CK Navigator. See below for an example.

MITRE ATT&CK coverage with available data sources

This gives a literal answer to the question of what techniques the SOC can discover with the set of data sources that it has. The numbers in the bottom right-hand corner of some of the cells reflect sub-technique coverage by the data sources, and the colors, how many different sources can be used to detect the technique. The darker the color, the greater the number of sources.

DETT&CT CLI can also generate an XLSX file that you can conveniently use as the integration of existing sources evolves, a parallel task that is part of the data source management process. You can use the following command to generate the file:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> -e

The next analytical report we are interested in assesses the SOC’s capabilities in terms of detecting MITRE ATT&CK techniques and sub-techniques while considering the scoring of integrated source quality as done previously. You can generate the report by running the following command:

python dettect.py ds -fd <data-source-yaml-dir>/<data-sources-file.yaml> --yaml

This generates a DETT&CT configuration file that both contains matrix coverage information and considers the quality of the data sources, providing a deeper insight into the level of visibility for each technique. The report can help to identify the techniques for which the SOC in its current shape can achieve the best results in terms of completeness of detection and coverage of the infrastructure.

This information too can be visualized with MITRE ATT&CK Navigator. You can use the following DETT&CT CLI command for this:

python dettect.py v -ft output/<techniques-administration-file.yaml> -l

See below for an example.

MITRE ATT&CK coverage with available sources considering their quality

For each technique, the score is calculated as an average of all relevant data source scores. For each data source, it is calculated from specific parameters. The following parameters have increased weight:

• Device completeness;
• Data field completeness;
• Retention.

To set up the scoring model, you need to modify the project source code.

It is worth mentioning that the scoring system presented by the developers of DETT&CT tends to be fairly subjective in some cases, for example:

• You may have one data source out of the three mentioned in connection with the specific technique. However, in some cases, one data source may not be enough even to detect the technique on a minimal level.
• In other cases, the reverse may be true, with one data source giving exhaustive information for complete detection of the technique.
• Detection may be based on a data source that is not currently mentioned in the MITRE ATT&CK Data Sources or Detections for that particular technique.

In these cases, the DETT&CT configuration file techniques-administration-file.yaml can be adjusted manually.

Now that the available data sources and the quality of their integration have been associated with the MITRE ATT&CK matrix, the last step is ranking the available techniques. You can use the Procedure Examples section in the matrix, which defines the groups that use a specific technique or sub-technique in their attacks. You can use the following DETT&CT command to run the operation for the entire MITRE ATT&CK matrix:

python dettect.py g

In the interests of prioritization, we can merge the two datasets (technique feasibility considering available data sources and their quality, and the most frequently used MITRE ATT&CK techniques):

python dettect.py g -p PLATFORM -o output/<techniques-administration- file.yaml> -t visibility

The result is a JSON file containing techniques that the SOC can work with and their description, which includes the following:

• Detection ability scoring;
• Known attack frequency scoring.

See the image below for an example.

Technique frequency and detection ability

As you can see in the image, some of the techniques are colored shades of red, which means they have been used in attacks (according to MITRE), but the SOC has no ability to detect them. Other techniques are colored shades of blue, which means the SOC can detect them, but MITRE has no data on these techniques having been used in any attacks. Finally, the techniques colored shades of orange are those which groups known to MITRE have used and the SOC has the ability to detect.

It is worth mentioning that groups, attacks and software used in attacks, which are linked to a specific technique, represent retrospective data collected throughout the period that the matrix has existed. In some cases, this may result in increased priority for techniques that were relevant for attacks, say, from 2015 through 2020, which is not really relevant for 2024.

However, isolating a subset of techniques ever used in attacks produces more meaningful results than simple enumeration. You can further rank the resulting subset in the following ways:

• By using the MITRE ATT&CK matrix in the form of an Excel table. Each object (Software, Campaigns, Groups) contains the property Created (date when the object was created) that you can rely on when isolating the most relevant objects and then use the resulting list of relevant objects to generate an overlap as described above:
  python dettect.py g -g sample-data/groups.yaml -p PLATFORM -o output/<techniques-administration-file.yaml> -t visibility
• By using the TOP ATT&CK TECHNIQUES project created by MITRE Engenuity.

TOP ATT&CK TECHNIQUES was aimed at developing a tool for ranking MITRE ATT&CK techniques and accepts similar inputs to DETT&CT. The tool produces a definition of 10 most relevant MITRE ATT&CK techniques for detecting with available monitoring capabilities in various areas of the corporate infrastructure: network communications, processes, the file system, cloud-based solutions and hardware. The project also considers the following criteria:

• Choke Points, or specialized techniques where other techniques converge or diverge. Examples of these include T1047 WMI, as it helps to implement a number of other WMI techniques, or T1059 Command and Scripting Interpreter, as many other techniques rely on a command-line interface or other shells, such as PowerShell, Bash and others. Detecting this technique will likely lead to discovering a broad spectrum of attacks.
• Prevalence: technique frequency over time.

MITRE ATT&CK technique ranking methodology in TOP ATT&CK TECHNIQUES

Note, however, that the project is based on MITRE ATT&CK v.10 and is not supported.

Finalizing priorities

By completing the steps above, the SOC team obtains a subset of MITRE ATT&CK techniques that feature to this or that extent in known attacks and can be detected with available data sources, with an allowance for the way these are configured in the infrastructure. Unfortunately, DETT&CT does not offer any way of creating a convenient XLSX file with an overlap between techniques used in attacks and those that the SOC can detect. However, we have a JSON file that can be used to generate the overlap with the help of MITRE ATT&CK Navigator. So, all you need to do for prioritization is to parse the JSON, say, with the help of Python. The final prioritization conditions may be as follows:

• Priority 1 (critical): Visibility_score >= 3 and Attacker_score >= 75. From an applied perspective, this isolates MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC requires minimal or no preparation to detect.
• Priority 2 (high): (Visibility_score < 3 and Visibility_score >= 1) and Attacker_score >= 75. These are MITRE ATT&CK techniques that most frequently feature in attacks and that the SOC is capable of detecting. However, some work on logging may be required, or monitoring coverage may not be good enough.
• Priority 3 (medium): Visibility_score >= 3 and Attacker_score < 75. These are MITRE ATT&CK techniques with medium to low frequency that the SOC requires minimal or no preparation to detect.
• Priority 4 (low): (Visibility_score < 3 and Visibility_score >= 1) and Attacker_score < 75. These are all other MITRE ATT&CK techniques that feature in attacks and the SOC has the capability to detect.

As a result, the SOC obtains a list of MITRE ATT&CK techniques ranked into four groups and mapped to its capabilities and global statistics on malicious actors’ actions in attacks. The list is optimized in terms of the cost to write detection logic and can be used as a prioritized development backlog.

Prioritization extension and parallel tasks

In conclusion, we would like to highlight the key assumptions and recommendations for using the suggested prioritization method.

• As mentioned above, it is not fully appropriate to use the MITRE ATT&CK statistics on the frequency of techniques in attacks. For more mature prioritization, the SOC team must rely on relevant threat data. This requires defining a threat landscape based on analysis of threat data, mapping applicable threats to specific devices and systems, and isolating the most relevant techniques that may be used against a specific system in the specific corporate environment. An approach like this calls for in-depth analysis of all SOC activities and links between processes. Thus, when generating a scenario library for a customer as part of our consulting services, we leverage Kaspersky Threat Intelligence data on threats relevant to the organization, Managed Detection and Response statistics on detected incidents, and information about techniques that we obtained while investigating real-life incidents and analyzing digital evidence as part of Incident Response service.
• The suggested method relies on SOC capabilities and essential MITRE ATT&CK analytics. That said, the method is optimized for effort reduction and helps to start developing relevant detection logic immediately. This makes it suitable for small-scale SOCs that consist of a SIEM administrator or analyst. In addition to this, the SOC builds what is essentially a detection functionality roadmap, which can be used for demonstrating the process, defining KPIs and justifying a need for expanding the team.

Lastly, we introduce several points regarding the possibilities for improving the approach described herein and parallel tasks that can be done with tools described in this article.

You can use the following to further improve the prioritization process.

• Grouping by detection. On a basic level, there are two groups: network detection or detection on a device. Considering the characteristics of the infrastructure and data sources in creating detection logic for different groups helps to avoid a bias and ensure a more complete coverage of the infrastructure.
• Grouping by attack stage. Detection at the stage of Initial Access requires more effort, but it leaves more time to respond than detection at the Exfiltration stage.
• Criticality coefficient. Certain techniques, such as all those associated with vulnerability exploitation or suspicious PowerShell commands, cannot be fully covered. If this is the case, the criticality level can be used as an additional criterion.
• Granular approach when describing source quality. As mentioned earlier, DETT&CT helps with creating quality descriptions of available data sources, but it lacks exception functionality. Sometimes, a source is not required for the entire infrastructure, or there is more than one data source providing information for similar systems. In that case, a more granular approach that relies on specific systems, subnets or devices can help to make the assessment more relevant. However, an approach like that calls for liaison with internal teams responsible for configuration changes and device inventory, who will have to at least provide information about the business criticality of assets.

Besides improving the prioritization method, the tools suggested can be used for completing a number of parallel tasks that help the SOC to evolve.

• Expanding the list of sources. As shown above, the coverage of the MITRE ATT&CK matrix requires diverse data sources. By mapping existing sources to techniques, you can identify missing logs and create a roadmap for connecting or introducing these sources.
• Improving the quality of sources. Scoring the quality of data sources can help create a roadmap for improving existing sources, for example in terms of infrastructure coverage, normalization or data retention.
• Detection tracking. DETT&CT offers, among other things, a detection logic scoring feature, which you can use to build a detection scenario revision process.

In May 2024, we discovered a new advanced persistent threat (APT) targeting Russian government entities that we dubbed CloudSorcerer. It’s a sophisticated cyberespionage tool used for stealth monitoring, data collection, and exfiltration via Microsoft Graph, Yandex Cloud, and Dropbox cloud infrastructure. The malware leverages cloud resources as its command and control (C2) servers, accessing them through APIs using authentication tokens. Additionally, CloudSorcerer uses GitHub as its initial C2 server.

CloudSorcerer’s modus operandi is reminiscent of the CloudWizard APT that we reported on in 2023. However, the malware code is completely different. We presume that CloudSorcerer is a new actor that has adopted a similar method of interacting with public cloud services.

Our findings in a nutshell:

• CloudSorcerer APT uses public cloud services as its main C2s
• The malware interacts with the C2 using special commands and decodes them using a hardcoded charcode table.
• The actor uses Microsoft COM object interfaces to perform malicious operations.
• CloudSorcerer acts as separate modules (communication module, data collection module) depending on which process it’s running, but executes from a single executable.

Technical details Initial start up MD5 f701fc79578a12513c369d4e36c57224 SHA1 f1a93d185d7cd060e63d16c50e51f4921dd43723 SHA256 e4b2d8890f0e7259ee29c7ac98a3e9a5ae71327aaac658f84072770cf8ef02de Link time N/A Compiler N/A File type Windows x64 executable File size 172kb File name N/A

The malware is executed manually by the attacker on an already infected machine. It is initially a single Portable Executable (PE) binary written in C. Its functionality varies depending on the process in which it is executed. Upon execution, the malware calls the GetModuleFileNameA function to determine the name of the process it is running in. It then compares this process name with a set of hardcoded strings: browser, mspaint.exe, and msiexec.exe. Depending on the detected process name, the malware activates different functions:

• If the process name is mspaint.exe, CloudSorcerer functions as a backdoor module, and performs activities such as data collection and code execution.
• If the process name is msiexec.exe, the CloudSorcerer malware initiates its C2 communication module.
• Lastly, if the process name contains the string “browser” or does not match any of the specified names, the malware attempts to inject shellcode into either the msiexec.exe, mspaint.exe, or explorer.exe processes before terminating the initial process.

The shellcode used by CloudSorcerer for initial process migration shows fairly standard functionality:

• Parse Process Environment Block (PEB) to identify offsets to required Windows core DLLs;
• Identify required Windows APIs by hashes using ROR14 algorithm;
• Map CloudSorcerer code into the memory of one of the targeted processes and run it in a separate thread.

All data exchange between modules is organized through Windows pipes, a mechanism for inter-process communication (IPC) that allows data to be transferred between processes.

CloudSorcerer backdoor module

The backdoor module begins by collecting various system information about the victim machine, running in a separate thread. The malware collects:

• Computer name;
• User name;
• Windows subversion information;
• System uptime.

All the collected data is stored in a specially created structure. Once the information gathering is complete, the data is written to the named pipe \\.\PIPE\[1428] connected to the C2 module process. It is important to note that all data exchange is organized using well-defined structures with different purposes, such as backdoor command structures and information gathering structures.

Next, the malware attempts to read data from the pipe \\.\PIPE\[1428]. If successful, it parses the incoming data into the COMMAND structure and reads a single byte from it, which represents a COMMAND_ID.

Main backdoor functionality

Depending on the COMMAND_ID, the malware executes one of the following actions:

• 0x1 – Collect information about hard drives in the system, including logical drive names, capacity, and free space.
• 0x2 – Collect information about files and folders, such as name, size, and type.
• 0x3 – Execute shell commands using the ShellExecuteExW API.
• 0x4 – Copy, move, rename, or delete files.
• 0x5 – Read data from any file.
• 0x6 – Create and write data to any file.
• 0x8 – Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process.
• 0x9 – Receive a PE file, create a section and map it into the remote process.
• 0x7 – Run additional advanced functionality.

When the malware receives a 0x7 COMMAND_ID, it runs one of the additional tasks described below:

Command ID Operation Description 0x2307 Create process Creates any process using COM interfaces, used for running downloaded binaries. 0x2407 Create process as dedicated user Creates any process under dedicated username. 0x2507 Create process with pipe Creates any process with support of inter-process communication to exchange data with the created process. 0x3007 Clear DNS cache Clears the DNS cache. 0x2207 Delete task Deletes any Windows task using COM object interfaces. 0x1E07 Open service Opens a Windows service and reads its status. 0x1F07 Create new task Creates a new Windows task and sets up a trigger for execution using COM objects. 0x2007 Get tasks Gets the list of all the Windows tasks using COM object interface. 0x2107 Stop task Stops any task using COM object interface. 0x1D07 Get services Gets the list of all Windows services. 0x1907 Delete value from reg Deletes any value from any Windows registry key selected by the actor. 0x1A07 Create service Creates a new Windows service. 0x1B07 Change service Modifies any Windows service configuration. 0x1807 Delete reg key Deletes any Windows registry key. 0x1407 Get TCP/UDP update table Gets information from Windows TCP/UDP update table. 0x1507 Collect processes Collects all running processes. 0x1607 Set reg key value Modifies any Windows registry key. 0x1707 Enumerate reg key Enumerates Windows registry keys. 0x1307 Enumerate shares Enumerates Windows net shares. 0x1007 Set net user info Sets information about a user account on a Windows network using NetUserSetInfo. It allows administrators to modify user account properties on a local or remote machine. 0x1107 Get net members Gets a member of the local network group. 0x1207 Add member Adds a user to the local network group. 0xE07 Get net user info Collects information about a network user. 0xB07 Enumerate net users Enumerates network users. 0xC07 Add net user Adds a new network user. 0xD07 Delete user Deletes a network user. 0x907 Cancel connection Cancels an existing network connection. This function allows for the disconnection of network resources, such as shared directories. 0x507 File operations Copies, moves, or deletes any file. 0x607 Get net info Collects information about the network and interfaces. 0x707 Enumerate connections Enumerates all network connections. 0x807 Map network Maps remote network drive. 0x407 Read file Reads any file as text strings. 0x107 Enumerate RDP Enumerates all RDP sessions. 0x207 Run WMI Runs any WMI query using COM object interfaces. 0x307 Get files Creates list of files and folders.

All the collected information or results of performed tasks are added to a specially created structure and sent to the C2 module process via a named pipe.

C2 module

The C2 module starts by creating a new Windows pipe named \\.\PIPE\[1428]. Next, it configures the connection to the initial C2 server by providing the necessary arguments to a sequence of Windows API functions responsible for internet connections:

• InternetCrackUrlA;
• InternetSetOptionA;
• InternetOpenA;
• InternetConnectA;
• HttpOpenRequestA;
• HttpSendRequestA

The malware sets the request type (“GET”), configures proxy information, sets up hardcoded headers, and provides the C2 URL.

Setting up internet connection

The malware then connects to the initial C2 server, which is a GitHub page located at https://github[.]com/alinaegorovaMygit. The malware reads the entire web page into a memory buffer using the InternetReadFile call.

The GitHub repository contains forks of three public projects that have not been modified or updated. Their purpose is merely to make the GitHub page appear legitimate and active. However, the author section of the GitHub page displays an interesting string:

Hex string in the author section

We found data that looks like a hex string that starts and ends with the same byte pattern – “CDOY”. After the malware downloads the entire GitHub HTML page, it begins parsing it, searching specifically for the character sequence “CDOY”. When it finds it, it copies all the characters up to the second delimiter “CDOY” and then stores them in a memory buffer. Next, the malware parses these characters, converting them from string values to hex values. It then decodes the string using a hardcoded charcode substitution table – each byte from the parsed string acts as an index in the charcode table, pointing to a substitutable byte, thus forming a new hex byte array.

Decoding algorithm

Charcode table

Alternatively, instead of connecting to GitHub, CloudSorcerer also tries to get the same data from hxxps://my.mail[.]ru/, which is a Russian cloud-based photo hosting server. The name of the photo album contains the same hex string.

The first decoded byte of the hex string is a magic number that tells the malware which cloud service to use. For example, if the byte is “1”, the malware uses Microsoft Graph cloud; if it is “0”, the malware uses Yandex cloud. The subsequent bytes form a string of a bearer token that is used for authentication with the cloud’s API.

Depending on the magic number, the malware creates a structure and sets an offset to a virtual function table that contains a subset of functions to interact with the selected cloud service.

Different virtual tables for Yandex and Microsoft

Next, the malware connects to the cloud API by:

• Setting up the initial connection using InternetOpenA and InternetConnectA;
• Setting up all the required headers and the authorization token received from the GitHub page;
• Configuring the API paths in the request;
• Sending the request using HttpSendRequestExA and checking for response errors;
• Reading data from the cloud using InternetReadFile.

The malware then creates two separate threads – one responsible for receiving data from the Windows pipe and another responsible for sending data to it. These threads facilitate asynchronous data exchange between the C2 and backdoor modules.

Finally, the C2 module interacts with the cloud services by reading data, receiving encoded commands, decoding them using the character code table, and sending them via the named pipe to the backdoor module. Conversely, it receives the command execution results or exfiltrated data from the backdoor module and writes them to the cloud.

Infrastructure GitHub page

The GitHub page was created on May 7, 2024, and two repositories were forked into it on the same day. On May 13, 2024, another repository was forked, and no further interactions with GitHub occurred. The forked repositories were left untouched. The name of the C2 repository, “Alina Egorova,” is a common Russian female name; however, the photo on the GitHub page is of a male and was copied from a public photo bank.

Mail.ru photo hosting

This page contains the same encoded string as the GitHub page. There is no information about when the album was created and published. The photo of the owner is the same as the picture from the photo bank.

Cloud infrastructure Service Main URL Initial path Yandex Cloud cloud-api.yandex.net /v1/disk/resources?path=
/v1/disk/resources/download?path=
/v1/disk/resources/upload?path= Microsoft Graph graph.microsoft.com /v1.0/me/drive/root:/Mg/%s/%s:/content Dropbox content.dropboxapi.com /2/files/download
/2/files/upload Attribution

The use of cloud services is not new, and we reported an example of this in our overview of the CloudWizard APT (a campaign in the Ukrainian conflict with ties to Operation Groundbait and CommonMagic). However, the likelihood of attributing CloudSorcerer to the same actor is low, as the code and overall functionality of the malware are different. We therefore assume at this point that CloudSorcerer is a new actor that has adopted the technique of interacting with public cloud services.

Victims

Government organizations in the Russian Federation.

Conclusions

The CloudSorcerer malware represents a sophisticated toolset targeting Russian government entities. Its use of cloud services such as Microsoft Graph, Yandex Cloud, and Dropbox for C2 infrastructure, along with GitHub for initial C2 communications, demonstrates a well-planned approach to cyberespionage. The malware’s ability to dynamically adapt its behavior based on the process it is running in, coupled with its use of complex inter-process communication through Windows pipes, further highlights its sophistication.

While there are similarities in modus operandi to the previously reported CloudWizard APT, the significant differences in code and functionality suggest that CloudSorcerer is likely a new actor, possibly inspired by previous techniques but developing its own unique tools.

Indicators of Compromise

File Hashes (malicious documents, Trojans, emails, decoys)

F701fc79578a12513c369d4e36c57224 CloudSorcerer

Domains and IPs

hxxps://github[.]com/alinaegorovaMygit CloudSorcerer C2 hxxps://my.mail[.]ru/yandex.ru/alinaegorova2154/photo/1 CloudSorcerer C2

Yara Rules
rule apt_cloudsorcerer { meta: description = "Detects CloudSorcerer" author = "Kaspersky" copyright = "Kaspersky" distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM" version = "1.0" last_modified = "2024-06-06" hash = "F701fc79578a12513c369d4e36c57224" strings: $str1 = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" $str2 = "c:\\windows\\system32\\mspaint.exe" $str3 = "C:\\Windows\\system32\\msiexec.exe" $str4 = "\\\\.\\PIPE\\" condition: uint16(0) == 0x5A4D and all of ($str*) } MITRE ATT&CK Mapping Tactic Technique Technique Name Execution T1059.009 Command and Scripting Interpreter: Cloud API T1559 Inter-Process Communication T1053 Scheduled Task/Job T1047 Windows Management Instrumentation Persistence T1543 Create or Modify System Process T1053 Scheduled Task/Job Defense Evasion T1140 Deobfuscate/Decode Files or Information T1112 Modify Registry Discovery T1083 File and Directory Discovery T1046 Network Service Discovery T1057 Process Discovery T1012 Query Registry T1082 System Information Discovery Collection T1005 Data from Local System Command and Control T1102 Web Service T1568 Dynamic Resolution Exfiltration T1567 Exfiltration Over Web Service T1537 Transfer Data to Cloud Account

1. Mở đầu Bài viết này là phần mô tả sơ lược và bình luận bài báo "Spoiled Onions: Exposing Malicious Tor Exit Relays"[1]. Tor exit relay là nút cuối dùng trong hành trình vận chuyển của các gói tin trọng mạng Tor, gói tin từ đây sẽ đi đến địa chỉ ...

Nhaccuatui vừa nâng cấp trình chơi nhạc trên web của mình có thể hiển thị lời nhạc theo thời gian khá tốt. Bài viết này sẽ trình bày các bước để lấy lời nhạc đó và cung cấp một công cụ để thực hiện trong 1 cú enter ;) (*). Lấy ...

Challenge was getting 0x1000 bytes from socket, and executing it following these rules (all shellcodes and codes are at the end of this writeup): [code] - all general purpose registers are 0 - stack is at 0x42000000 - pc    is at 0x41000000 [/code] All binaries: x86 : polyglot_9d64fa98df6ee55e1a5baf0a170d3367 armel : polyglot_6a3875ce36a55889427542903cd43893 armeb : polyglot_c0e7a26d7ce539efbecc970c154de844 PowerPC: polyglot_5b78585342a3c116aebb5a9b45e88836 Our shellcode ...