The CyberWire Daily Podcast 6.15.20
Ep 1109 | 6.15.20

ActionSpy Android spyware deployed against Uyghurs in Tibet. Anonymous claims an action against Atlanta PD. Security vendor or malware purveyor? Spelling counts.


Dave Bittner: A new Android spyware tool is deployed against China's Uighur minority. Anonymous claims it disrupted the Atlanta Police Department's website yesterday to protest a police shooting. An apparently legitimate security firm has apparently been selling malware to criminals. Breachstortion joins sextortion as a criminal tactic. Craig Williams from Cisco Talos on Astaroth, an information stealer that's been targeting Brazil. Our own Rick Howard on risk assessments. And why spelling always counts.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, June 15, 2020. 

Dave Bittner: Trend Micro is tracking a new campaign by Earth Empusa, also known as Poison Carp, a group believed to be linked to the Chinese government, against Uighurs in Tibet. The campaign uses a new strain of Android spyware, ActionSpy, modularized and typically distributed in watering hole attacks. ActionSpy has also been used against a travel agency in Taiwan and political and media organizations in Turkey. The Muslim Uighur minority in China has long been a target of domestic surveillance. 

Dave Bittner: The Atlanta Journal-Constitution reports that Atlanta police websites were briefly down yesterday. Tweets purporting to be from Anonymous claimed responsibility for the outage, which they called a response to Friday's fatal shooting of a man during an altercation - quote, "Anonymous has taken action against Atlanta PD for the execution of #RayshardBrooks. We call for the arrest of the two murderers. No more impunity," end quote. Rayshard Brooks was shot and killed by police during an attempted arrest. It's the latest hacking incident to accompany recent unrest in the U.S. As with other recent episodes connected with Anonymous, it's, first, difficult to attribute and, second, basically nuisance-level vandalism. 

Dave Bittner: ZDNet reports that the Italian security firm CloudEyE has been selling criminals malware. The report is sourced to security firm Check Point, whose investigations of the malware dropper GuLoader eventually led it to CloudEyE's anti-reverse-engineering binary protection service. They connected CloudEyE to a malware crypting service, DarkEyE, and the associated GuLoader, which, as ZDNet says, had been heavily advertised on hacking exchanges since 2014. The same website,, is involved with both DarkEyE and CloudEyE. In fact, it makes the connection explicit with this splash page. DarkEyE evolved into CloudEyE, says the page, explaining that it's the next generation of Windows executables' protection. Check Point's analysis found that CloudEyE and GuLoader code were the same, barring some irrelevant applied code randomization. So the researchers' conclusion - quote, "CloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year," end quote. 

Dave Bittner: ZDNet says that CloudEyE has denounced Check Point's report and denied any involvement in crime. But there have been more calls for Italian authorities to investigate CloudEyE and its founders in connection with aiding and abetting a criminal operation and money laundering. CloudEyE has apparently, ZDNet says, shut down in the wake of the report. 

Dave Bittner: Who were the customers? According to Check Point, they were threat actors with no deep technical knowledge, interested in using commodity malware they picked up in the criminal-to-criminal market. 

Dave Bittner: Organizations are receiving extortion notes that claim falsely to have installed info-stealing ransomware and that if they're not paid, they'll destroy the victims' sites and release sensitive data online. There's no ransomware. The threats are similar to the sextortion notes that claim falsely to have access to discreditable browser histories and webcam videos. Naked Security calls it "breachstortion," equally indiscriminate and equally full of empty threats. It might be marginally harder to recognize than sextortion. But an organization would know, one would generally think, if it had suffered a ransomware infestation because they'd notice that they could no longer access their data. But actually, the hoods aren't claiming to have encrypted the victims' data. They just say they've stolen it. How? According to their message, like this - quote, "we have hacked your website and extracted your databases. How did this happen? Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability, we were able to get your database credentials and extract your entire database and move the information to an offshore server," end quote. 

Dave Bittner: So maybe they have the data, and maybe they don't. But absent the kind of evidence serious crooks normally provide - usually a small sample of the stolen material posted to establish that they've really got something - it's probably smarter to dismiss the threat as empty. BleepingComputer says the notes themselves are unusually well-written, without the eccentric usage one normally sees. So they're missing one of the customary tells that so often betray the bogus impostures used in social engineering. We've looked at some of the samples published. And while the spelling, grammar and usage are standard, the style is atrocious, hackneyed, breathless and too much like something you'd read in cheap crime fiction. Phooey to them all. 

Dave Bittner: And finally, there is another case in which bad spelling doesn't betray criminal intent. According to KrebsOnSecurity, privnotes[.]com has been impersonating the legitimate free messaging service. The bogus site is phishing for bitcoin by substituting the criminals' bitcoin address for any such address it detects in communications. BleepingComputer notes that the campaign combines cybersquatting and phishing. Specifically, it's typosquatting. The criminals' URL is just one character off from the legitimate site, and it's just taken a singular to an innocent-looking plural. So remember, kids, spelling always counts. 

Dave Bittner: And I'm pleased to be joined once again by our own CyberWire chief analyst Rick Howard. Rick, always great to have you back. We're going to have another preview of your "CSO Perspectives" podcast. And this week, you're talking about risk. 

Rick Howard: Yeah, and how do we calculate risk? And this has been a stumbling block for most of my peers since I've been doing this, some 25 years. And I got to tell you, Dave, it is really about our fear of probability and statistics. Do you remember taking that class back in college? 

Dave Bittner: Oh, boy. Yeah. 

Rick Howard: (Laughter). 

Dave Bittner: You know what I remember most about it? - is how counterintuitive so much of it is. 

Rick Howard: Yeah. That's the way it was for me, too. I barely got through that class by the skin of my teeth. And I definitely didn't understand it. And as I've been in the industry, you know, we have tried to calculate risk based on, well, what we tried to learn - OK? - in that probability in stats course. And let me tell you there is a reason that most of us are IT guys and not math guys - right? - 'cause math is hard. And we try to do risk assessments by calculating probabilities based on what we learned in that class. And it's essentially - you have to be able to count things, right? Count the things that have happened and then divide it by the number of times it could've happened. And that sounds really simple, but in cybersecurity, the variables are vast. And we don't even know where to start in - what really is true is our perception of what probability is is completely wrong, and we need to expand what we think it could be. 

Rick Howard: There is a great scientist out in California. His name is Dr. Ron Howard. And he invented decision analysis theory back in the '60s. And he has a whole different perception of what probability is. It's really a measurement - or it could be a measurement - of what we know about a certain situation. And when you think of probability in that way - OK? - it kind of expands how we think about it. So I'll give you an example... 

Dave Bittner: Yeah. 

Rick Howard: ...Right? What we really want to do is figure out what the probability is of a material impact by a cyber event in our organization in, say, the next three years, right? And what I usually do when I make those calculations is I whip out my qualitative risk heat map chart and give it three categories - high, medium or low - which is not very precise. But with a probability assigned it, you might say there is a 4% chance that our organization will be materially impacted in the next three years. And that might be a SWAG, but it is definitely more precise about what you know about your security infrastructure. 

Dave Bittner: How much of this is kind of that old thing from the "Jurassic Park" movie? You know, the butterfly flapping its wings, and we get rain instead of snow. Like, can things spin out of control really quickly when you're doing these sorts of calculations? 

Rick Howard: Well, I think the thing to remember here is that everything we do in a risk calculation is a model. And all models are wrong, but some are useful, OK? So... 


Dave Bittner: Some are less wrong than others. 

Rick Howard: Exactly right. 


Dave Bittner: OK. 

Rick Howard: So we're going to talk about how to do really simple models to get a - kind of a baseline of what your risk is. And then later on in the series, you know, we'll talk about it and get more complex. But we'll try to ease your way into it and get over your fear of what probability in stats are. 

Dave Bittner: All right. Well, do check it out. It's Rick Howard's "CSO Perspectives" podcast. It is over on CyberWire Pro. Check it out at Rick, always great to talk to you. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Craig Williams. He's the head of Talos Outreach at Cisco. Craig, always great to have you back. You and your team have some interesting research you wanted to share here. This is about an information stealer you all have been tracking? 

Craig Williams: Yeah, so this one's called Astaroth. And basically, it's, you know, an information-stealing Trojan that has a somewhat unique profile because it's targeting people in Brazil. And the reason this one really popped up on our radar is because it's one of the vast array of malware using COVID-19 lures right now. 

Dave Bittner: Well, take us through some of the details here. What brought it to your attention? 

Craig Williams: Well, there's a lot of obfuscation and anti-analysis involved. It was actually pretty challenging to reverse. You know, we had to rely on Talos' reverse engineering team. You know, those folks are top-notch. And, you know, when we have samples that evasive, we typically expect that they're doing something bad, which let's take for a moment and just think about this 'cause I think this is worth noting as well. You know, a lot of bad guys will make their malware super evasive, thinking that makes it, like, undetectable in their mind. But let's look at the reality of the situation. There really isn't much benign software, if any, that is hacked and obfuscated to that extent, right? So the sheer fact that they've tried to obfuscate the program flow, which is super obvious, is enough for us to say, yeah, it's up to something bad. You know, you generally don't want that running on your system. We don't really even have to know what it does. So I always think that's funny, right? People go to these great lengths to obfuscate the program flow when, you know, you can simply check to see if that's happened, and if it has, is it one of, like, you know, a handful of known good things that do that and attempt to, like, protect their IP or something silly? And chances are it's not and it's a bad guy and they've done something super obvious in attempts to be sneaky. It's like trying to rob a bank with a strobe light on. 

Dave Bittner: (Laughter) Well, I mean, is there a flip side to that? Have you guys run into situations where people try to hide in plain sight? 

Craig Williams: Absolutely, right? I mean, that's incredibly common as well, right? That goes back to, you know, these fake invoice scams or, you know, lots of email-based scams where they pretend to be a friend. You know, and even in this one, you know, there were lots of fake COVID-19 lures attempting to be real information. There was lots of invoice scam type of stuff going on. And if you flip through the blog post, you'll see examples of some of those. But, you know, at the end of the day, what the attacker is trying to do is use an initial vector that should look legitimate - right? - and the user's tricked to clicking on that through curiosity or whatever. 

Craig Williams: And that's really the COVID-19 angle here, right? It's important people realize, from a cybersecurity perspective, the COVID-19 pandemic has really put one single target on the entire human race, right? Every single person on Earth is susceptible to COVID-19 information. They want to know more. They're scared. They don't understand what's happening. And so if you make an empty promise like that, people will click on it. And the bad guys are aware of this. They've realized it. And so we've seen a massive shift across basically all malware families and even APT actors towards COVID lures because the effectiveness rate is just through the roof. 

Dave Bittner: In the time we have, is there anything technically that stands out to you? Anything they've been doing under the hood here that's noteworthy? 

Craig Williams: Well, you know, the C2 mechanism is pretty unique. They basically are using YouTube as a way to have a covert channel for C2 that's probably going to be one that isn't inspected. You know, if you look at the way that most businesses try to reduce inspection through their security devices or through their firewall or whatever, they try to identify sites that they can effectively whitelist. And so if you can use something like Pastebin or YouTube or any website that allows the user to use data - I think - what? - last year one was even using Reddit - that's a way to potentially bypass that inspection for nefarious purposes. So, yeah, at the end of the day, this is not that rare of a piece of malware. But the fact that it's using COVID-19 lures, you know, incredibly evasive techniques are all quite suspicious. And so it's definitely one we took note of. 

Dave Bittner: All right. Well, the blog post is titled "Astaroth - Maze of Obfuscation and Evasion Reveals Dark Stealer." That is on the Talos blog from Cisco. Craig Williams, thanks for joining us. 

Craig Williams: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.