The CyberWire Daily Podcast 8.20.18
Ep 666 | 8.20.18

DarkHotel is back. So is Necurs, and it's distributing a modular malware dropper. Industrial espionage follows international trade. Election meddling. The use and abuse of data.


Dave Bittner: [00:00:03] An evolved DarkHotel campaign is underway. A new malware dropper is out and about thanks to the Necurs botnet. Researchers demonstrate proof-of-concept exploits. Cyberespionage follows trade - notes on election meddling. Google and Facebook encounter some regulatory and legal headwinds over data collection. And connected cars know a lot about their drivers, and there's money in those data.

Dave Bittner: [00:00:33] Now I'd like to share some words about our sponsor Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms, and like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit and check out the report "Security: Using AI for Evil." That's We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:34] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 20, 2018. Trend Micro, seconded by Qihoo 360, reports that North Korean operators are exploiting a vulnerability in the VBScript engine to compromise targets in Pyongyang's DarkHotel campaign. DarkHotel is related to Dark Seoul and thence to the 2014 Sony Pictures hack, which the U.S. FBI unambiguously attributed to attackers working for the North Korean government.

Dave Bittner: [00:02:09] Researchers at Proofpoint warn against a new malware strain, Marap, which is being distributed in a large spam campaign run through the Necurs botnet. They noticed the campaign on August 10 and have been tracking it since. The malicious payload is being distributed in email attachments that include Microsoft Excel web query files, .IQY files, password-protected zip archives that also contain .IQY files, PDFs with embedded .IQY files, and finally, Microsoft Word documents with maliciously crafted macros.

Dave Bittner: [00:02:44] Marap is a malware dropper, and it shows some interesting evasive capabilities. It uses API hashing, which isn't uncommon, but which can make it more difficult for analysts and automated tools to determine that the code is in fact malicious. It also runs timing checks at the onset of important functions. These can impede both debugging and sandboxing. If the sleep time Marap detects is too short, the program exits. It will also exit if it determines that it's being run in a virtual machine.

Dave Bittner: [00:03:16] The current campaign seems directed largely against the financial sector. Marap, being a dropper, can be used to deliver a wide range of modular payloads to infected targets. One of the more notable payloads Proofpoint has observed is a system fingerprinting module that collects and returns data to the command and control center. Those data include username, domain name, hostname, IP address, language, country, Windows version, antivirus software detected and a list of Microsoft .ost files.

Dave Bittner: [00:03:49] Two noteworthy proofs of concept have been reported. Researchers at Secarma have described a PHP exploit that could be used against a variety of content management systems, including WordPress. And Georgia Tech researchers have demonstrated a new side channel attack that could extract encryption keys from mobile devices without requiring physical access to the device itself. Again, these are demonstrations, not attacks observed in the wild, but the vulnerabilities they exploit will bear watching.

Dave Bittner: [00:04:20] Turning to cyberespionage, it appears that being a trading partner with China doesn't put you on any do-not-hack list in Beijing - or Shanghai either, for that matter. In fact, just the opposite seems to be the case. Frequency and intensity of Chinese industrial espionage, in fact, seem to correlate fairly directly with trading relationships. This, at any rate, is the lesson observers are drawing from Recorded Future's report last week on Chinese cyber activity. A great deal of such activity is associated with countries involved in the Belt and Road Initiative, a trade strategy to develop a maritime Silk Road that would connect Chinese industry with partners in several belts across Eurasia. Malaysia is among the countries reporting that it's seen an uptick in Chinese cyber activity directed against economically relevant targets.

Dave Bittner: [00:05:11] Industry seems not to be buying the Australian government's contention that the country's new cybersecurity regulations won't amount to the equivalent of mandatory back doors. The Digital Industry Group rejects claims that the draft bill won't require communications companies to build weaknesses into their products. They think that the sort of technical capability notice the law requires would in fact amount a requirement to create weaknesses on the government's demand.

Dave Bittner: [00:05:40] Dissatisfied with voluntary moderation, the EU is preparing anti-terror measures that will require social networks to yank radical content within an hour of notification. Twitter confessed recently to having no good ideas on how it might do rumor control. And the European legislators are unlikely to exhibit much American squeamishness about restricting freedom of speech.

Dave Bittner: [00:06:05] Russia appears likely to continue to attempt to influence U.S. elections, the Atlantic Council and others warn. U.S. National Security Adviser Bolton says it's not just Russia either. The other three members of the familiar four - China, Iran and North Korea - are interested in elections, too. Techniques vary. Russia favors media amplification of disruptive memes, China, seeking influence through think tanks and universities, and Iran and North Korea probably building on past hacking successes.

Dave Bittner: [00:06:38] So has data become an attractive nuisance for companies? Sure, there's money to be made there, but they certainly come with their share of headaches. Google's turn-offable (ph) but easily overlooked location tracking is one example. It seems poised to draw regulatory attention from the U.S. Congress.

Dave Bittner: [00:06:57] And witness Facebook, again in a bit of legal and regulatory hot water over the powerful data collection and aggregation tools it offers marketers. There's a lawsuit pending against Facebook filed by people who claim that the social media giant's collection and analysis of data has enabled housing discrimination. The U.S. Department of Justice is effectively supporting that suit, having joined fair housing groups' attempts to block Facebook's efforts to have the lawsuit dismissed.

Dave Bittner: [00:07:26] In a separate but related action, the U.S. Department of Housing and Urban Development has begun the process of lodging a complaint against Facebook for violating the Fair Housing Act by creating advertising tools that facilitate discrimination on the basis of race, gender, zip code or religion or whether a potential renter has young children at home or a personal disability. As The Washington Post characterizes the controversy, the moves by HUD and Justice, quote, "mark an escalation of federal scrutiny of how Facebook’s tools may create illegal forms of discrimination, allegations that also are central to separate lawsuits regarding the access to credit and employment opportunities, which, like housing, are subject to federal legal protection. The federal actions also suggests limits on the reach of a key federal law, the Communications Decency Act, that long has been interpreted as offering technology companies broad immunity against many legal claims related to online content," end quote. Facebook says it's no place for discrimination, that it's aware of HUD's statement of interest and that it looks forward to working with HUD to address the department's concerns.

Dave Bittner: [00:08:38] Yet other opportunities for data collection and monetization continue to arise. Smart cars, for example, know an awful lot about their drivers. Companies perceive gold in them there data. And it seems that this sort of information is about to succeed free services, like Google and Facebook, as the Klondike succeeded Sutter's creek. Newer models - and these are cars on the streets now, not those newfangled "Jetson"-esque robot cars so much talked about - well, they collect a lot. Here's a partial list from The Wall Street Journal of the systems now developing data - odometer, ignition, engine status, engine temperature, RPM, oil level, gear position, coolant temperature, fuel and battery levels, GPS, speed, LIDAR, camera, brake, wheel position, horn, seatbelt, airbag, doors, tire pressure, blinkers and wipers.

Dave Bittner: [00:09:28] The initial uses are thought to be in improving safety, driver experience and so on, but insurance rate incentives are following closely behind. And of course, there's thought being devoted to delivering in-car advertising. One hopes Detroit and Nagoya, Stuttgart and Milan, too, for that matter, watches the experience of Google and Facebook closely.

Dave Bittner: [00:09:57] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move onto protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at See what Workspace ONE can do for your enterprise security - And we thank VMware for sponsoring our show.

Dave Bittner: [00:10:57] And I'm pleased to be joined once again by Robert M. Lee. He's the CEO at Dragos. Rob, welcome back. You had an interesting series of tweets recently. You were talking about the debate on coal, the importance of having a diverse energy portfolio. But one of the things you dug into was this notion that cyber is often thrown in as an excuse for decisions, and sometimes that can throw people off the direction where they should be headed. What do we need to know here?

Robert M Lee: [00:11:26] Yeah, absolutely. So in this case, there was a debate about coal and on nuclear energy. And I think that those two also should not be lumped together. They're very much different things, but the discussion came out from the Department of Energy to talk about the need for diverse energy portfolios, which is a completely fair topic. Any time that you're producing a lot of electricity for any purpose, like, you know, the American power grid, you very much want to know that you can draw on energy from lots of different sources. And so there's a debate right now on if keeping coal around is useful to the resiliency of the North American power grid. And I think there are pros and cons and lots of discussions going on. I think that the grid is - tends to be far more resilient than people make it out to be. But that's a debate that people can have.

Robert M Lee: [00:12:12] My only sort of quip into that was when people started throwing in the discussion of cybersecurity. And one of the positions taken by various senior officials was, well, we need to keep coal around because what happens if a cyberattack happens? And we need to have the ability to use coal to pump energy into the grid because of cyber. And my perspective on that is simple, where you have to think of the risk to your infrastructure a little bit more holistically and not just flavor the discussion of cyber. It's not that it's technically inaccurate. It's not that we don't want to think about cybersecurity, but it's that the answer isn't bound to a cybersecurity-related task. Whether or not we keep coal around really has nothing to do with cybersecurity 'cause there - we adapt. We change. We come up with different methods to do protection and defense. And it's kind of just this topic that gets thrown around a lot, especially in D.C. because it perks people's ears up. And nobody wants to vote against or petition against the choice that leaves us less cybersecure. And so it's kind of this distractionary tactic that I think we need to be very careful to call out and move away from.

Dave Bittner: [00:13:26] And who are the people who bring it up? I mean, is it - I could be cynical here and say, is it the folks who have a vested interest in the cyber?

Robert M Lee: [00:13:34] Yeah, I think it happens by a lot of different parties. And I'm not so willing to say that anybody is being malicious. I mean, I would happily call people out when they are.


Robert M Lee: [00:13:45] I feel the...

Dave Bittner: [00:13:45] Yes.

Robert M Lee: [00:13:46] I feel the people who know me would know that I would absolutely like...

Dave Bittner: [00:13:48] Yeah.

Robert M Lee: [00:13:48] ...To burn people to the ground on, like, a public Forbes article or something. But that's not what I'm seeing here. I'm seeing, you know, various folks on both sides of the discussion sort of positioning - and including the ones that have a vested interest - positioning around cybersecurity 'cause they've been reading headlines and talking about cybersecurity. They're concerned about it, especially for the ones that don't necessarily understand it very well or aren't as technical. And they're seeing all this discussion of threats, and it's completely natural to say, hey, well, what about cybersecurity? But that's where we need to get and educate folks and move the community away from the fear, uncertainty and doubt aspect of this discussion and more on where cyber should be considered or not considered in the discussion. We don't have to be at every boardroom. We don't have to - you know, cybersecurity professionals don't need to be involved in every decision. And if we try to be, it very much waters down our position. We need to be adults in the room to say, hey, this does or does not relate to where we can offer value.

Dave Bittner: [00:14:48] Yeah, we can't end up crying wolf. Yeah. All right. That's interesting, as always. Robert M. Lee, thanks for joining us. And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at the

Dave Bittner: [00:15:08] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE Intelligence. Learn more at

Dave Bittner: [00:15:35] If you enjoy the CyberWire and our "Research Saturday" show, we hope you'll check out the CyberWire's "Hacking Humans" podcast where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I co-host that show with Joe Carrigan from the Johns Hopkins University Information Security Institute. Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Hah. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at

Dave Bittner: [00:16:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.