SlideShare a Scribd company logo

RSA Report: Bolware – Onyx Variant

E
EMC

This report examines a new malware variant, known as Onyx, designed to fraudulently redirect payments from victim’s accounts.

Technology
1 of 16
Download to read offline
BOLWARE – “ONYX” VARIANT December 2014 RSA® Research Group
Page 2 TABLE OF CONTENTS Executive Summary .......................................................................................................... 3 Comparison ..................................................................................................................... 5 Malware Installation, Protective Mechanisms and Persistency Techniques ................................. 5 Communication and Network Behavior................................................................................. 7 Barcode Replacement........................................................................................................ 9 Command andControl Server Infrastructure ........................................................................10 Retrieved Data Statistics...................................................................................................11 Countermeasures ............................................................................................................13 Recommended User Vigilance............................................................................................14 Authors ..........................................................................................................................15
Page 3 EXECUTIVE SUMMARY As mentioned in the previous report published by RSA (https://blogs.rsa.com/rsa-uncovers- boleto-fraud-ring-brazil/), Boleto malware is a fraud operation and financial threat that has appeared in recent years in Brazil. The malware family known as "Eupuds" by some AV engines has attacked thousands of victims, causing serious losses to both the banking system and its customers. These losses are caused not only by the "Eupuds" family, but by other types of the Boleto malware as well. This report contains information about a different family of Boleto malware, known as "Onyx". The basic idea is the same: replace Boleto information in order to redirect the payments from the victim. However, unlike "Eupuds" which injects malicious code into the different web browsers (Chrome, Firefox and Internet Explorer (IE)) memory during runtime, this kind of malware uses other mechanisms to infect the victim's machine, depending on the targeted web browser. If the target browser is either Chrome or Firefox, the malware will be installed as an extension and will execute its javascript code. On the other hand, if the target is Microsoft’s Internet Explorer®, the malware will change the Boleto information by using the COM (Component Object Model) interface with the browser. Other differences are that "Eupuds" malware family modifies the Boleto bank code and this family variant does not. The first one invalidates the Boleto barcode by adding HTML comments between the black and white bar images that represent the barcode and the latter either downloads a full barcode image from a malicious server or tries to compose a new barcode with black and white bars. The altered Boleto will look like this:
Page 4 Dozens of samples of this family have been found and they are at different levels of development. Their features vary among the samples and they point to different Command and Control (C&C) servers. However, all of them have the same communication protocol with the servers, which indicates that these samples are likely to refer to malware which is still under development. In this report we will list the most important features of this malware family and will analyze one of the C&C servers. Figure 1 Altered Boleto
Page 5 COMPARISON   Bolware  “Ruby”  (aka  Eupuds)   Bolware  “Onyx”   Bank  Code   Replace   Do  not  Replace   Typeable  Line   Replace   Replace   Barcode   Do  not  Replace   Replace  (some  versions  put  an   extra  one  at  the  bottom)   Protocol   XML  Obfuscated  with  a  XOR  key   over  HTTP   Plain  text  over  HTTP   Server   Centralized  dedicated  server   (multiple  IPs  on  the  same  server)   Multiple  servers  (hacked  websites)   C&C   PHP  +  MySQL   PHP  +  Plain  Text  Storage   Dataflow  Affected   On  Generation  (on  GET   response)  and  on  Submission  (on   POST  requests)   On  Generation  (on  GET  response)   User  Credentials   Targeted  Live.com   Do  not  Support   Infection  Mechanism   CreateRemoteThread()  on   process   Chrome  /  Firefox  -­‐  Browser   Extension  and  IE  -­‐  COM  Interface   Affected  Browsers   Chrome  /  Firefox  /  IE   Chrome  /  Firefox  /  IE   Affected  OS   Windows   Windows,  however  the  extension   works  also  for  MAC  OS  and  LINUX   MALWARE INSTALLATION, PROTECTIVE MECHANISMS AND PERSISTENCY TECHNIQUES The installation process depends on the targeted browser. The malware is installed as an extension and pretends to be Flash Player in Chrome and Firefox:
Page 6 The same extension used as a payload by the malware can infect Linux and Mac OS, since it’s written in JavaScript using the browser's API, but no malware was identified that was able to deploy this payload in different platforms. Once properly installed in the victim's browser, the malicious extension will search and replace Boleto related information (typeable line and barcode) in order to redirect payments. In Chrome, the manifest.json extension configuration file points to a background page called "popup.html" (with permissions to monitor tabs, all URLs, navigation and requests), which will execute a javascript called "popup.js". This javascript uses Chrome APIs to do the fraud: chrome.webRequest.onCompleted.addListener(...) Where: • chrome.webRequest is the API to observe and analyze traffic and to intercept and modify requests in-flight • onCompleted fires when a request has been processed successfully • addListener is used to register an event listener for a web request The API takes a callback and some filters as arguments. The callback calls a javascript called "getPagesSource.js", which will: • retrieve the DOM object from the page and convert it to string • use regular expressions to search for Boleto information in the page opened by the browser • retrieve the fake typeable line from the C&C server • replace the typeable line • calculate and replace the barcode • send information back to the C&C server (browser, original typeable line, modified typeable line, value, due data and URL) Figure 2 Fake Chrome extension Figure 3 Fake Firefox extension
Page 7 In Firefox, the process is almost the same. The "install.rdf" extension configuration file contains information to install the malware as a plugin and the file "stylebar.xul" will point to a javascript called "stylebar.js" that will perform the same logic that "getPagesSource.js" does. On the other hand if the IE browser is running: • Initialize the COM interface • Search for iexplore.exe process • Retrieve a Boleto number from the server • Connect to IE and retrieve the existing page • Replace the Boleto number and barcode • Notify the C&C server what was the original Boleto and the new one Example of code in Delphi that uses the COM interface to retrieve an HTML page from the browser: """ uses  ShDocVw_Tlb;  //  or  ShDocVw     if  Doc  =  Nil  then      exit;   if  Doc.body  =  Nil  then      exit;     var      i:  Integer;      Browser:  IWebBrowser2;      ShellWindows:  IShellWindows;      Doc  :  IHtmlDocument2;     ShellWindows  :=  CoShellWindows.Create;   for  i  :=  0  to  ShellWindows.Count  -­‐  1  do      if  Supports(ShellWindows.Item(i),  IWebBrowser2,  Browser)  then        begin          //  do  something  with  Browser  instance,  e.g  compare  the  Url  you're          //  expecting  with  Browser.LocationUrl          //  if  it  is,  then  you  can  get  at  the  Html  by  something  like            Browser.Document.QueryInterface(IHtmlDocument2,  Doc);          if  (Doc  <>  Nil)  and  (Doc.Body  <>  Nil)  then              //  access  any  of  the  Doc's  properties,  e.g.  InnerHtml        end;   """ COMMUNICATION AND NETWORK BEHAVIOR After the malware infects the browser, it starts the communication with the C&C server through HTTP messages. The first message is a notification that is sent by the malware to the server as soon as the malware gets active. This is done by sending a GET to "notify.php":
Page 8 After the notification is sent, a text file is created on the victim's machine in order to prevent multiple notifications for the same victim. The subsequent messages will occur when the malware detects a Boleto operation in the browser and their purpose is to replace the Boleto information (typeable line and barcode) to redirect payments. First, the malware will request the typeable line to replace, by sending a GET to "boleto.php?LETO": After that, the malware sends some information about the Boleto to the server, by sending a POST to "boleto.php": Figure 4 Notification message Figure 5 Typeable line request Figure 6 Transaction information
Page 9 Where: O=<original typeable line> N=<new typeable line> V=<value> P=<due date> U=<url> Z=<browser> BARCODE REPLACEMENT As well as the "Eupuds" type, this family also replaces the Boleto barcode. Some samples submit the modified typeable line to the malicious server in order to retrieve the corresponding barcode (as an image) to replace it in the original Boleto On the other hand, some of the samples simply download a fake and fixed barcode (as an image) so that the victim will be forced to use the modified typeable line to do the payment: Figure 7 Replacement by a corresponding barcode
Page 10 Some samples search for strings like "autenticacao mecanica" (which means "mechanical authentication" in Portuguese, it is where the barcode is usually located) and its variations (capital letters and accents in the words) in order to search and replace the barcode in the Boleto document. C&C SERVER INFRASTRUCTURE The server side control panel is very simple and allows the botmaster access to manage the botnet and review compromised data. The malware has the information publicly accessible through links in the C&C server. Latest transaction activities (latest Boleto changes) can be accessed by sending a GET to "boleto.php?123" to the server, which reveals information like date, time, browser, original typeable line, modified typeable line, value, due data and URL: Figure 8 Replacement by a fixed barcode Figure 9 Latest Boleto changes
Page 11 On the other hand, latest victim's information can be accessed by sending a GET to "visualizador.php?ver", which gives back a UI to see the recently infected victims (date, IP address, hostname and HTTP referrer): The data seems to be removed from time to time, allowing only a partial view of the data on the server corresponding to a period of time. RETRIEVED DATA STATISTICS The data retrieved from the server reveals interesting information about this family of the “Boleto” malware and its victims. Following are the infected browsers: Figure 10 Latest infection information
Page 12 As well as the "Eupuds" variant, this family also targets the Brazilian market (citizens and companies). Most of the victims are Brazilian residents, however Brazilian citizens who live abroad were infected as well. All of them are able to generate a “Boleto” online and pay it through the Brazilian online banking system. Figure 11 Infected browsers Figure 12 Infection by country
Page 13 As shown in the map below, the malware is nationwide distributed, but it’s concentrated in the high populated areas. The infection map looks very similar to the "Eupuds" malware distribution: During this period the total number of victims infected by this C&C was 3,072. The following diagram displays the daily malware activity (number of infected transactions) of one of the C&C servers during the last month (period from August 5th until September 1st): It is important to mention that these values and statistics refer to only one C&C server. A total number of 50 samples and 16 C&C servers have been monitored during the latest 2 months by RSA researchers, so the malware activity involved in this fraud is likely to exceed the period mentioned in this report. COUNTERMEASURES RSA FraudAction Service™ can help with shutting down Boleto infection points in the wild and blacklisting Boleto IDs. FraudAction provides a blacklist feed of all altered Boleto ID numbers by the Boleto malware. As fraudsters feed new Boleto IDs into the malware, FraudAction service updates the blacklist feed. The altered fraudulent Boletos contain information that the banks can use to proactively block further payment of such Boleto and to track the account that received the fraudulent payment and prevent further payments to this account and cashing out. Figure 13 Infection in Brazil Figure 14 Activity by day
Page 14 RSA® Security Analytics can help only if the Boleto malware is on employee machines and not customers. RSA Security Analytics is designed to monitor all the communication to/from the organization to the Boleto malware C&C server, and can spot fraudulent activities by using Boleto IOCs that are in the RSA Live feed. The feed will be updated as needed, providing threat intelligence to organizations experiencing possible Boleto malware infection. RSA LIVE feed info regarding Boleto fraud is as follows: • Feed: RSA FirstWatch Command and Control IPs o Pivot: threat.desc = c2-ip-bolware • Feed: RSA FirstWatch Command and Control Domains o Pivot: threat.desc = c2-domain-bolware RSA® ECAT is engineered to help only if the Boleto malware is on employee machines and not customers. RSA ECAT can detect the presence of Boleto malware on end user/employee devices based on the Boleto malware IOCs. RECOMMENDED USER VIGILANCE 1. Double check the Boleto ID, using the following information that could help in detecting a fraudulent Boleto: • Compare the first 4 digits with previous Boletos from the same issuing company: these digits identify the destination Bank, and they will usually be the same every month. • For a given issuing company (e.g., a credit card bill or a Boleto from the kids’ school), compare the first half of Boleto digits (usually the first 21 digits) with previous payments from the same company, since these digits identify the payee’s destination account. These digits are usually the same from accounts that the user paid in previous months. 2. Avoid accessing websites that propose to generate new Boletos out of overdue Boletos. Please check with your bank the best process to pay an overdue Boleto. 3. Try using the Authorized Direct Debit (DDA) method as much as possible to replace the traditional Boleto payment method. 4. Never trust emails that you aren't expecting, don’t click on any suspicious links. 5. Be wary of websites which are requesting information that they don’t need. 6. Download and install software patches periodically from reliable sources (preferably ask the software to update itself). 7. Install Anti-Virus software from a reliable source, verify it’s enabled and update it periodically. According to Microsoft® , customers using Windows Security Essentials® are protected from this malware. 8. Scan your PC with Anti-Malware software on a constant basis.
Page 15 AUTHORS Jonathan Zkez James Winston Content and liability disclaimer This Research Paper is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. EMC has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. EMC shall not be responsible for any errors or omissions contained on this Research Paper, and reserves the right to make changes anytime without notice. Mention of non-EMC products or services is provided for informational purposes only and constitutes neither an endorsement nor a recommendation by EMC. All EMC and third-party information provided in this Research Paper is provided on an "as is" basis. EMC DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY INFORMATION (INCLUDING ANY SOFTWARE, PRODUCTS, OR SERVICES) PROVIDED IN THIS RESEARCH PAPER, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you. In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be liable for direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising out of the use or inability to use any EMC website, any EMC product or service. This includes damages arising from use of or in reliance on the documents or information present on this Research Paper, even if EMC has been advised of the possibility of such damages
www.rsa.com ABOUT RSA RSA’s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit www.rsa.com. EMC2 , EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2014 EMC Corporation. All rights reserved. Published in the USA. H13742

Recommended

Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understan Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understanjasmin849794
 
Browser Helper Object
Browser Helper ObjectBrowser Helper Object
Browser Helper ObjectAshutosh Mittal
 
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the Web
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the WebTrailblazer: Enabling Blind Web Users to Blaze Trails Through the Web
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the WebJeffrey Bigham
 
58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-serviceshomeworkping3
 
Claims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newClaims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newRavikantChaturvedi
 
Monopoly types
Monopoly typesMonopoly types
Monopoly typesTravis Klein
 
Tumanyan
TumanyanTumanyan
Tumanyantatevabrahamyan
 
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULESDr. Raju M. Mathew
 

Recommended

Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understan Ethical hacking lab series lab 14 understan
Ethical hacking lab series lab 14 understanjasmin849794
 
Browser Helper Object
Browser Helper ObjectBrowser Helper Object
Browser Helper ObjectAshutosh Mittal
 
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the Web
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the WebTrailblazer: Enabling Blind Web Users to Blaze Trails Through the Web
Trailblazer: Enabling Blind Web Users to Blaze Trails Through the WebJeffrey Bigham
 
58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-services58615764 net-and-j2 ee-web-services
58615764 net-and-j2 ee-web-serviceshomeworkping3
 
Claims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newClaims based authentication in share point 2010 .new
Claims based authentication in share point 2010 .newRavikantChaturvedi
 
Monopoly types
Monopoly typesMonopoly types
Monopoly typesTravis Klein
 
Tumanyan
TumanyanTumanyan
Tumanyantatevabrahamyan
 
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULES
HAPPINESS AND ENJOYMENT FOR EVERY MAN AND WOMAN : SIMPLE RULESDr. Raju M. Mathew
 
Tues solar system
Tues solar systemTues solar system
Tues solar systemTravis Klein
 
Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012Rene Summer
 
Louise Bourgeois
Louise BourgeoisLouise Bourgeois
Louise BourgeoisDax Vorona
 
Mit2 092 f09_lec06
Mit2 092 f09_lec06Mit2 092 f09_lec06
Mit2 092 f09_lec06Rahman Hakim
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC
 
50 states
50 states50 states
50 statesJazzyluv14
 
EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC
 
Wed enlightenment
Wed enlightenmentWed enlightenment
Wed enlightenmentTravis Klein
 
Fiscal multipliers baseball stadium
Fiscal multipliers baseball stadiumFiscal multipliers baseball stadium
Fiscal multipliers baseball stadiumTravis Klein
 
8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708jsCMBenard
 
Fri end of ww1
Fri end of ww1Fri end of ww1
Fri end of ww1Travis Klein
 
Math
MathMath
MathMonica456212
 
Mit2 092 f09_lec10
Mit2 092 f09_lec10Mit2 092 f09_lec10
Mit2 092 f09_lec10Rahman Hakim
 
Big Data, Big Innovations
Big Data, Big Innovations Big Data, Big Innovations
Big Data, Big Innovations EMC
 
Formulario devoluciones
Formulario devolucionesFormulario devoluciones
Formulario devolucionesNathalia Sanchez
 
Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012SME Puerto Rico
 
Sub formulario2
Sub formulario2Sub formulario2
Sub formulario2Nathalia Sanchez
 
Bobby charlton
Bobby charltonBobby charlton
Bobby charlton6thclassClareCastle
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
вивчення мотивації вибору професії
вивчення мотивації вибору професіївивчення мотивації вибору професії
вивчення мотивації вибору професіїТатьяна Глинская
 
Web Services
Web ServicesWeb Services
Web ServicesF K
 
Lecture 1 (2)
Lecture 1 (2)Lecture 1 (2)
Lecture 1 (2)erick chuwa
 

More Related Content

Viewers also liked

Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012Rene Summer
 
Louise Bourgeois
Louise BourgeoisLouise Bourgeois
Louise BourgeoisDax Vorona
 
Mit2 092 f09_lec06
Mit2 092 f09_lec06Mit2 092 f09_lec06
Mit2 092 f09_lec06Rahman Hakim
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC
 
EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC
 
Fiscal multipliers baseball stadium
Fiscal multipliers baseball stadiumFiscal multipliers baseball stadium
Fiscal multipliers baseball stadiumTravis Klein
 
8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708jsCMBenard
 
Mit2 092 f09_lec10
Mit2 092 f09_lec10Mit2 092 f09_lec10
Mit2 092 f09_lec10Rahman Hakim
 
Big Data, Big Innovations
Big Data, Big Innovations Big Data, Big Innovations
Big Data, Big Innovations EMC
 
Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012SME Puerto Rico
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic EMC
 
вивчення мотивації вибору професії
вивчення мотивації вибору професіївивчення мотивації вибору професії
вивчення мотивації вибору професіїТатьяна Глинская
 

Viewers also liked (20)

Tues solar system
Tues solar systemTues solar system
Tues solar system
 
Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012Ceps task force on copyright in the eu digital single market 14 nov 2012
Ceps task force on copyright in the eu digital single market 14 nov 2012
 
Louise Bourgeois
Louise BourgeoisLouise Bourgeois
Louise Bourgeois
 
Mit2 092 f09_lec06
Mit2 092 f09_lec06Mit2 092 f09_lec06
Mit2 092 f09_lec06
 
EMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data AnalyticsEMC Isilon Multitenancy for Hadoop Big Data Analytics
EMC Isilon Multitenancy for Hadoop Big Data Analytics
 
50 states
50 states50 states
50 states
 
EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2
 
Wed enlightenment
Wed enlightenmentWed enlightenment
Wed enlightenment
 
Fiscal multipliers baseball stadium
Fiscal multipliers baseball stadiumFiscal multipliers baseball stadium
Fiscal multipliers baseball stadium
 
8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js
 
Fri end of ww1
Fri end of ww1Fri end of ww1
Fri end of ww1
 
Math
MathMath
Math
 
Mit2 092 f09_lec10
Mit2 092 f09_lec10Mit2 092 f09_lec10
Mit2 092 f09_lec10
 
Big Data, Big Innovations
Big Data, Big Innovations Big Data, Big Innovations
Big Data, Big Innovations
 
Formulario devoluciones
Formulario devolucionesFormulario devoluciones
Formulario devoluciones
 
Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012Presentación Jorge Quiroga para el SME Digital Forum 2012
Presentación Jorge Quiroga para el SME Digital Forum 2012
 
Sub formulario2
Sub formulario2Sub formulario2
Sub formulario2
 
Bobby charlton
Bobby charltonBobby charlton
Bobby charlton
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
вивчення мотивації вибору професії
вивчення мотивації вибору професіївивчення мотивації вибору професії
вивчення мотивації вибору професії
 

Similar to RSA Report: Bolware – Onyx Variant

Web Services
Web ServicesWeb Services
Web ServicesF K
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMSkoolkampus
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1ghkadous
 
How browsers work landscape
How browsers work landscapeHow browsers work landscape
How browsers work landscapeanandkishore
 
Nt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersNt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersLisa Williams
 
Pandora FMS: Outlook Anywhere Plugin
Pandora FMS: Outlook Anywhere PluginPandora FMS: Outlook Anywhere Plugin
Pandora FMS: Outlook Anywhere PluginPandora FMS
 
Asp interview Question and Answer
Asp interview Question and Answer Asp interview Question and Answer
Asp interview Question and Answer home
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
CBT_Guidelines
CBT_GuidelinesCBT_Guidelines
CBT_GuidelinesZakia Taqi
 
Bt0082 visual basic
Bt0082 visual basicBt0082 visual basic
Bt0082 visual basicTechglyphs
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEannalakshmi35
 
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...Exchange of data over internet using web service(e.g., soap and rest) in SAS ...
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...Kevin Lee
 
Web Development Presentation
Web Development PresentationWeb Development Presentation
Web Development PresentationTurnToTech
 

Similar to RSA Report: Bolware – Onyx Variant (20)

Web Services
Web ServicesWeb Services
Web Services
 
Lecture 1 (2)
Lecture 1 (2)Lecture 1 (2)
Lecture 1 (2)
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS
 
Html intake 38 lect1
Html intake 38 lect1Html intake 38 lect1
Html intake 38 lect1
 
How browsers work landscape
How browsers work landscapeHow browsers work landscape
How browsers work landscape
 
Nt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And AnswersNt1310 Final Exam Questions And Answers
Nt1310 Final Exam Questions And Answers
 
Www usenix-org
Www usenix-orgWww usenix-org
Www usenix-org
 
Asp
AspAsp
Asp
 
Chapter 6-Remoting
Chapter 6-RemotingChapter 6-Remoting
Chapter 6-Remoting
 
Pandora FMS: Outlook Anywhere Plugin
Pandora FMS: Outlook Anywhere PluginPandora FMS: Outlook Anywhere Plugin
Pandora FMS: Outlook Anywhere Plugin
 
Ch21
Ch21Ch21
Ch21
 
Asp interview Question and Answer
Asp interview Question and Answer Asp interview Question and Answer
Asp interview Question and Answer
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
CBT_Guidelines
CBT_GuidelinesCBT_Guidelines
CBT_Guidelines
 
Bt0082 visual basic
Bt0082 visual basicBt0082 visual basic
Bt0082 visual basic
 
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODEMSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
MSWD:MERN STACK WEB DEVELOPMENT COURSE CODE
 
As pnet
As pnetAs pnet
As pnet
 
Pushing the Web: Interesting things to Know
Pushing the Web: Interesting things to KnowPushing the Web: Interesting things to Know
Pushing the Web: Interesting things to Know
 
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...Exchange of data over internet using web service(e.g., soap and rest) in SAS ...
Exchange of data over internet using web service(e.g., soap and rest) in SAS ...
 
Web Development Presentation
Web Development PresentationWeb Development Presentation
Web Development Presentation
 

More from EMC

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDEMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOEMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremioEMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lakeEMC
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereEMC
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History EMC
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewEMC
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeEMC
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityEMC
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeEMC
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesEMC
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsEMC
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookEMC
 
2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS Breach2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS BreachEMC
 

More from EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 
2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS Breach2014 Cybercrime Roundup: The Year of the POS Breach
2014 Cybercrime Roundup: The Year of the POS Breach
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

RSA Report: Bolware – Onyx Variant

  • 1. BOLWARE – “ONYX” VARIANT December 2014 RSA® Research Group
  • 2. Page 2 TABLE OF CONTENTS Executive Summary .......................................................................................................... 3 Comparison ..................................................................................................................... 5 Malware Installation, Protective Mechanisms and Persistency Techniques ................................. 5 Communication and Network Behavior................................................................................. 7 Barcode Replacement........................................................................................................ 9 Command andControl Server Infrastructure ........................................................................10 Retrieved Data Statistics...................................................................................................11 Countermeasures ............................................................................................................13 Recommended User Vigilance............................................................................................14 Authors ..........................................................................................................................15
  • 3. Page 3 EXECUTIVE SUMMARY As mentioned in the previous report published by RSA (https://blogs.rsa.com/rsa-uncovers- boleto-fraud-ring-brazil/), Boleto malware is a fraud operation and financial threat that has appeared in recent years in Brazil. The malware family known as "Eupuds" by some AV engines has attacked thousands of victims, causing serious losses to both the banking system and its customers. These losses are caused not only by the "Eupuds" family, but by other types of the Boleto malware as well. This report contains information about a different family of Boleto malware, known as "Onyx". The basic idea is the same: replace Boleto information in order to redirect the payments from the victim. However, unlike "Eupuds" which injects malicious code into the different web browsers (Chrome, Firefox and Internet Explorer (IE)) memory during runtime, this kind of malware uses other mechanisms to infect the victim's machine, depending on the targeted web browser. If the target browser is either Chrome or Firefox, the malware will be installed as an extension and will execute its javascript code. On the other hand, if the target is Microsoft’s Internet Explorer®, the malware will change the Boleto information by using the COM (Component Object Model) interface with the browser. Other differences are that "Eupuds" malware family modifies the Boleto bank code and this family variant does not. The first one invalidates the Boleto barcode by adding HTML comments between the black and white bar images that represent the barcode and the latter either downloads a full barcode image from a malicious server or tries to compose a new barcode with black and white bars. The altered Boleto will look like this:
  • 4. Page 4 Dozens of samples of this family have been found and they are at different levels of development. Their features vary among the samples and they point to different Command and Control (C&C) servers. However, all of them have the same communication protocol with the servers, which indicates that these samples are likely to refer to malware which is still under development. In this report we will list the most important features of this malware family and will analyze one of the C&C servers. Figure 1 Altered Boleto
  • 5. Page 5 COMPARISON   Bolware  “Ruby”  (aka  Eupuds)   Bolware  “Onyx”   Bank  Code   Replace   Do  not  Replace   Typeable  Line   Replace   Replace   Barcode   Do  not  Replace   Replace  (some  versions  put  an   extra  one  at  the  bottom)   Protocol   XML  Obfuscated  with  a  XOR  key   over  HTTP   Plain  text  over  HTTP   Server   Centralized  dedicated  server   (multiple  IPs  on  the  same  server)   Multiple  servers  (hacked  websites)   C&C   PHP  +  MySQL   PHP  +  Plain  Text  Storage   Dataflow  Affected   On  Generation  (on  GET   response)  and  on  Submission  (on   POST  requests)   On  Generation  (on  GET  response)   User  Credentials   Targeted  Live.com   Do  not  Support   Infection  Mechanism   CreateRemoteThread()  on   process   Chrome  /  Firefox  -­‐  Browser   Extension  and  IE  -­‐  COM  Interface   Affected  Browsers   Chrome  /  Firefox  /  IE   Chrome  /  Firefox  /  IE   Affected  OS   Windows   Windows,  however  the  extension   works  also  for  MAC  OS  and  LINUX   MALWARE INSTALLATION, PROTECTIVE MECHANISMS AND PERSISTENCY TECHNIQUES The installation process depends on the targeted browser. The malware is installed as an extension and pretends to be Flash Player in Chrome and Firefox:
  • 6. Page 6 The same extension used as a payload by the malware can infect Linux and Mac OS, since it’s written in JavaScript using the browser's API, but no malware was identified that was able to deploy this payload in different platforms. Once properly installed in the victim's browser, the malicious extension will search and replace Boleto related information (typeable line and barcode) in order to redirect payments. In Chrome, the manifest.json extension configuration file points to a background page called "popup.html" (with permissions to monitor tabs, all URLs, navigation and requests), which will execute a javascript called "popup.js". This javascript uses Chrome APIs to do the fraud: chrome.webRequest.onCompleted.addListener(...) Where: • chrome.webRequest is the API to observe and analyze traffic and to intercept and modify requests in-flight • onCompleted fires when a request has been processed successfully • addListener is used to register an event listener for a web request The API takes a callback and some filters as arguments. The callback calls a javascript called "getPagesSource.js", which will: • retrieve the DOM object from the page and convert it to string • use regular expressions to search for Boleto information in the page opened by the browser • retrieve the fake typeable line from the C&C server • replace the typeable line • calculate and replace the barcode • send information back to the C&C server (browser, original typeable line, modified typeable line, value, due data and URL) Figure 2 Fake Chrome extension Figure 3 Fake Firefox extension
  • 7. Page 7 In Firefox, the process is almost the same. The "install.rdf" extension configuration file contains information to install the malware as a plugin and the file "stylebar.xul" will point to a javascript called "stylebar.js" that will perform the same logic that "getPagesSource.js" does. On the other hand if the IE browser is running: • Initialize the COM interface • Search for iexplore.exe process • Retrieve a Boleto number from the server • Connect to IE and retrieve the existing page • Replace the Boleto number and barcode • Notify the C&C server what was the original Boleto and the new one Example of code in Delphi that uses the COM interface to retrieve an HTML page from the browser: """ uses  ShDocVw_Tlb;  //  or  ShDocVw     if  Doc  =  Nil  then      exit;   if  Doc.body  =  Nil  then      exit;     var      i:  Integer;      Browser:  IWebBrowser2;      ShellWindows:  IShellWindows;      Doc  :  IHtmlDocument2;     ShellWindows  :=  CoShellWindows.Create;   for  i  :=  0  to  ShellWindows.Count  -­‐  1  do      if  Supports(ShellWindows.Item(i),  IWebBrowser2,  Browser)  then        begin          //  do  something  with  Browser  instance,  e.g  compare  the  Url  you're          //  expecting  with  Browser.LocationUrl          //  if  it  is,  then  you  can  get  at  the  Html  by  something  like            Browser.Document.QueryInterface(IHtmlDocument2,  Doc);          if  (Doc  <>  Nil)  and  (Doc.Body  <>  Nil)  then              //  access  any  of  the  Doc's  properties,  e.g.  InnerHtml        end;   """ COMMUNICATION AND NETWORK BEHAVIOR After the malware infects the browser, it starts the communication with the C&C server through HTTP messages. The first message is a notification that is sent by the malware to the server as soon as the malware gets active. This is done by sending a GET to "notify.php":
  • 8. Page 8 After the notification is sent, a text file is created on the victim's machine in order to prevent multiple notifications for the same victim. The subsequent messages will occur when the malware detects a Boleto operation in the browser and their purpose is to replace the Boleto information (typeable line and barcode) to redirect payments. First, the malware will request the typeable line to replace, by sending a GET to "boleto.php?LETO": After that, the malware sends some information about the Boleto to the server, by sending a POST to "boleto.php": Figure 4 Notification message Figure 5 Typeable line request Figure 6 Transaction information
  • 9. Page 9 Where: O=<original typeable line> N=<new typeable line> V=<value> P=<due date> U=<url> Z=<browser> BARCODE REPLACEMENT As well as the "Eupuds" type, this family also replaces the Boleto barcode. Some samples submit the modified typeable line to the malicious server in order to retrieve the corresponding barcode (as an image) to replace it in the original Boleto On the other hand, some of the samples simply download a fake and fixed barcode (as an image) so that the victim will be forced to use the modified typeable line to do the payment: Figure 7 Replacement by a corresponding barcode
  • 10. Page 10 Some samples search for strings like "autenticacao mecanica" (which means "mechanical authentication" in Portuguese, it is where the barcode is usually located) and its variations (capital letters and accents in the words) in order to search and replace the barcode in the Boleto document. C&C SERVER INFRASTRUCTURE The server side control panel is very simple and allows the botmaster access to manage the botnet and review compromised data. The malware has the information publicly accessible through links in the C&C server. Latest transaction activities (latest Boleto changes) can be accessed by sending a GET to "boleto.php?123" to the server, which reveals information like date, time, browser, original typeable line, modified typeable line, value, due data and URL: Figure 8 Replacement by a fixed barcode Figure 9 Latest Boleto changes
  • 11. Page 11 On the other hand, latest victim's information can be accessed by sending a GET to "visualizador.php?ver", which gives back a UI to see the recently infected victims (date, IP address, hostname and HTTP referrer): The data seems to be removed from time to time, allowing only a partial view of the data on the server corresponding to a period of time. RETRIEVED DATA STATISTICS The data retrieved from the server reveals interesting information about this family of the “Boleto” malware and its victims. Following are the infected browsers: Figure 10 Latest infection information
  • 12. Page 12 As well as the "Eupuds" variant, this family also targets the Brazilian market (citizens and companies). Most of the victims are Brazilian residents, however Brazilian citizens who live abroad were infected as well. All of them are able to generate a “Boleto” online and pay it through the Brazilian online banking system. Figure 11 Infected browsers Figure 12 Infection by country
  • 13. Page 13 As shown in the map below, the malware is nationwide distributed, but it’s concentrated in the high populated areas. The infection map looks very similar to the "Eupuds" malware distribution: During this period the total number of victims infected by this C&C was 3,072. The following diagram displays the daily malware activity (number of infected transactions) of one of the C&C servers during the last month (period from August 5th until September 1st): It is important to mention that these values and statistics refer to only one C&C server. A total number of 50 samples and 16 C&C servers have been monitored during the latest 2 months by RSA researchers, so the malware activity involved in this fraud is likely to exceed the period mentioned in this report. COUNTERMEASURES RSA FraudAction Service™ can help with shutting down Boleto infection points in the wild and blacklisting Boleto IDs. FraudAction provides a blacklist feed of all altered Boleto ID numbers by the Boleto malware. As fraudsters feed new Boleto IDs into the malware, FraudAction service updates the blacklist feed. The altered fraudulent Boletos contain information that the banks can use to proactively block further payment of such Boleto and to track the account that received the fraudulent payment and prevent further payments to this account and cashing out. Figure 13 Infection in Brazil Figure 14 Activity by day
  • 14. Page 14 RSA® Security Analytics can help only if the Boleto malware is on employee machines and not customers. RSA Security Analytics is designed to monitor all the communication to/from the organization to the Boleto malware C&C server, and can spot fraudulent activities by using Boleto IOCs that are in the RSA Live feed. The feed will be updated as needed, providing threat intelligence to organizations experiencing possible Boleto malware infection. RSA LIVE feed info regarding Boleto fraud is as follows: • Feed: RSA FirstWatch Command and Control IPs o Pivot: threat.desc = c2-ip-bolware • Feed: RSA FirstWatch Command and Control Domains o Pivot: threat.desc = c2-domain-bolware RSA® ECAT is engineered to help only if the Boleto malware is on employee machines and not customers. RSA ECAT can detect the presence of Boleto malware on end user/employee devices based on the Boleto malware IOCs. RECOMMENDED USER VIGILANCE 1. Double check the Boleto ID, using the following information that could help in detecting a fraudulent Boleto: • Compare the first 4 digits with previous Boletos from the same issuing company: these digits identify the destination Bank, and they will usually be the same every month. • For a given issuing company (e.g., a credit card bill or a Boleto from the kids’ school), compare the first half of Boleto digits (usually the first 21 digits) with previous payments from the same company, since these digits identify the payee’s destination account. These digits are usually the same from accounts that the user paid in previous months. 2. Avoid accessing websites that propose to generate new Boletos out of overdue Boletos. Please check with your bank the best process to pay an overdue Boleto. 3. Try using the Authorized Direct Debit (DDA) method as much as possible to replace the traditional Boleto payment method. 4. Never trust emails that you aren't expecting, don’t click on any suspicious links. 5. Be wary of websites which are requesting information that they don’t need. 6. Download and install software patches periodically from reliable sources (preferably ask the software to update itself). 7. Install Anti-Virus software from a reliable source, verify it’s enabled and update it periodically. According to Microsoft® , customers using Windows Security Essentials® are protected from this malware. 8. Scan your PC with Anti-Malware software on a constant basis.
  • 15. Page 15 AUTHORS Jonathan Zkez James Winston Content and liability disclaimer This Research Paper is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. EMC has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. EMC shall not be responsible for any errors or omissions contained on this Research Paper, and reserves the right to make changes anytime without notice. Mention of non-EMC products or services is provided for informational purposes only and constitutes neither an endorsement nor a recommendation by EMC. All EMC and third-party information provided in this Research Paper is provided on an "as is" basis. EMC DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, WITH REGARD TO ANY INFORMATION (INCLUDING ANY SOFTWARE, PRODUCTS, OR SERVICES) PROVIDED IN THIS RESEARCH PAPER, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. Some jurisdictions do not allow the exclusion of implied warranties, so the above exclusion may not apply to you. In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be liable for direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising out of the use or inability to use any EMC website, any EMC product or service. This includes damages arising from use of or in reliance on the documents or information present on this Research Paper, even if EMC has been advised of the possibility of such damages
  • 16. www.rsa.com ABOUT RSA RSA’s Intelligence Driven Security solutions help organizations reduce the risks of operating in a digital world. Through visibility, analysis, and action, RSA solutions give customers the ability to detect, investigate and respond to advanced threats; confirm and manage identities; and ultimately, prevent IP theft, fraud and cybercrime. For more information on RSA, please visit www.rsa.com. EMC2 , EMC, RSA and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. ©2014 EMC Corporation. All rights reserved. Published in the USA. H13742