Good day to you!

Khoroshiy den' dlya tebya!

The other day, I got this cryptic email. It read:

– – – – – – – – – – – – – – – –
From: Wayne Millbrand <waynem@icon.co.za>
Date: 03/27/2017 2:23 PM (GMT-05:00)
To: ***
Subject: ***

Good day to you!

I have a rather delicate issue, which touches directly to you. Don’t be surprised how do I learned about you! The fact is that I have got already a second letter from the person, I do not know which asserts that you are fraud involved. He insists, that you forced him transfer funds on your PayPal account under fictional reason. However,with this information he pointed out your private data up to address:

First Last Name
Street Address
Town
State (with capitalization error)
Zip Code

Now he is collecting information and planing to contact the police. I advise you to view the information that he sent to me. I have attached Fine.doc with a copy of all of his messages.

Document was password-protected – 4299
Please explain to me what’s happening.  I hope that all of this is a silly misunderstanding.

Best regards,

Wayne Millbrand
– – – – – – – – – – – – – – – –

Based on the fake email address and the tell-tale Anguished English, I concluded that this was just another phish. I usually delete these emails promptly, but this one had an interesting component to it: it came with a password protected MS Word document. This is somewhat unusual because phishers typically expect you to just launch the attachment and activate the payload immediately.

So it appears that the attack strategy was to:

  1. Send a threatening email
  2. Add some publicly available information about the recipient to make it look genuine
  3. Encrypt the document in order to hide the payload from an anti-virus scanner
  4. Provide the password in the email to allow the user to open and decrypt the file
  5. Activate the payload in the MS Word document and infect the user’s machine

Based on the version of the MS Word attachment, I’ve setup a Windows 7 virtual environment in a sandbox. I’ve also installed Microsoft Office 2016 in order to debug the payload macro, and used the following SysInternals utilities: ProcessMon, DiskMon, DebugView, and Wireshark to sniff the TCP traffic. 

I launched the document and entered the provided password. Inside the decrypted file, I found the following API declarations, variable names, and code:

Shell32.dll   ShellExecuteA
Kernel32     GetTempPathA
Kernel32     GetTempFileNameA
URLMon”     URLDownloadToFileA

Dim wyqud As String
Dim zdwie As Long
Dim rufhd As Long
Dim bldos As Integer
Dim mufid () As Byte
Dim kmvbf As Long
Dim dfety As Long
Dim bvjwi As Long
Dim wbdys As Long
Dim dvywi (256) As Byte
Dim wdals As Long
Dim dwiqh As Long

API Declarations and Variables
Yaacov Apelbaum-Document OpenYaacov Apelbaum-Functions

The attack mechanism, seems to be a variation on an old method where as soon as the user opens the file, the routine executes a URL file download from one of these two URLs:

h t t p://adenzia.ch/_vti_cnf/bug.gif
h t t p://kingofstreets.de/class/meq.gif

The macro is quite sophisticated, it can even prompt the user to disable their firewall if the download fails. Both GIFs, “bug.gif” and “meg.gif”—despite having an appropriate header block and some image content bytes—actually carry the encoded malware.

The macro uses a subroutine to extract the executable binary from the downloaded GIFs. It stores the binary in a temp file, appends an “exe” extension to it, and then using the Explorer function ShellExecuteA, executes it in order to install additional malware. In this case, it was ransomware that encrypted the Documents folder.

Yaacov Apelbaum-Ransomware e
Image 1: The installed ransomware after installation

Interestingly, the first compromised URL used for the malware distribution was website that belongs to a company called Adenzia, a Swiss accounting and corporate services firm that ironically advertises itself as providing “Privacy and secure data storage” and:

  •   Accounting services
  •   Secure financial services
  •   Data entry from paper to digital
  •   Scanning paper data to digital
  •   Archiving data anonymously

Adenzia.ch 1

 

Adenzia.ch 2

 

Image 2: The Adenzia.ch website used for malware distribution

Mafia Scripts
Image 3: The Kingofstreets.de website used for malware distribution

Another noteworthy strategy used by the phishers is that both, the repurposed Swiss Adenzia.ch financial site as well as the second German kingofstreets.de gaming site required a login. This provided an additional layer of security by preventing internet security scanners from tracking down the payload by trying to follow a link to the server hosting the malware.

Adenzia
Image 4: Malware distribution site login prompt

From the variable naming convention and the language of the email itself, it seems that the writer is non native English speaker from one of the former soviet union republics. The metadata from the Word document further supports this and suggest a strong link to Russia. First, the author’s name was виньда (Vinda) and the company name was: SPecialiST RePack. 

SPecialiST RePack Metadata

SPecialiST RePack is a Russian digital publisher that is used for repackaging software.  According to Emsisoft malware database, they are a source of a large number of infected files and products.

SPecialiST RePack
Image 6:
Samples of SPecialiST RePack infected content

As far as the repurposed Adenzia.ch Swiss site, it seems that it was breached in the past few months as the Wayback Machine still shows them operational on October 4, 2016.

Swiss Banking Russian Style
Image 7: The office address of Adenize in Lugano Switzerland

I’ve contacted Giovanni De Martin Cavan, the registered owner of Adenzia (who seems to have a strange history of forming companies and abandoning their websites) via email and gave him heads up that he needs to have a look at his website and corporate network. As of this date, I haven’t heard back from him. This could be an indication that either the site was a front for malware distribution from the get go or else it is no longer in business and has been abandoned.  

References and Sourcing
XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object detection

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Coincidence or Not?

Coincidence or not

You may have seen this motivational masterpiece. It’s a favorite among performance consultants.

It goes as follows:

IF

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

THEN:

K

N

O

W

L

E

D

G

E

 

11

14

15

23

12

5

4

7

5

96%

AND:

H

A

R

D

W

O

R

K

   

8

1

18

4

23

15

18

11

 

98%

Both are important, but fall just short of 100%

BUT…

A

T

T

I

T

U

D

E

   

1

20

20

9

20

21

4

5

 

100%

So the moral of the story is that if you have the right attitude, you will achieve 100% of your potential. It sure looks great on paper. To test the mystical proposition, I’ve written a short script to first create words that are between 2-12 character long that add up to the value of 100 and then find which of these is found in a dictionary. 

As might be expected, the script generated hundreds of valid words (see the short sample at the end of the post just for the letter A). It turns out that many of them are not very motivational.

A

N

E

U

R

I

S

M

   

1

20

20

9

20

21

4

5

 

100%

A

S

B

E

S

T

O

S    

1

19

2

5

19

20

15

19  

100%

The problem with all of these leadership gimmicks is that they fail to understand the fundamentals of human performance, chiefly that nothing in nature functions at 100% efficiency. In reality, any information worker productivity in the 50% range is outstanding. As you can see from the list bellow, this is a conservative average daily activity breakdown of a typical information worker:

#

Activity

Time (Min)

1

Checking social media

44

2

Reading news websites & checking out ecommerce site like Amazon

65

3

Visiting and discussing non-work-related activity with colleagues

40

4

Making hot drinks

17

5

Smoking or doing some mobile device maintenance

23

6

Texting and instant messaging

14

7

Snacking

8

8

Preparing food in the office

7

9

Calling partners and friends

18

10

Looking for a new job and or doing some LinkedIn “maintenance”

26

Total

262

So about 4.3 hours of every 8 hour day are non-productive. If you still have any doubts, feel free to consult Frederick Brooks’ Mythical Man-Month.

Word

Letter Values

Sum

Abrogative

1 + 2 + 18 + 15 + 7 + 1 + 20 + 9 + 22 + 5

100

Acromegaly

1 + 3 + 18 + 15 + 13 + 5 + 7 + 1 + 12 + 25

100

Affectation

1 + 6 + 6 + 5 + 3 + 20 + 1 + 20 + 9 + 15 + 14

100

Alienation

1 + 12 + 9 + 14 + 5 + 1 + 20 + 9 + 15 + 14

100

Anchoritic

1 + 14 + 3 + 8 + 15 + 18 + 9 + 20 + 9 + 3

100

Anglophobia

1 + 14 + 7 + 12 + 15 + 16 + 8 + 15 + 2 + 9 + 1

100

Anorchism

1 + 14 + 15 + 18 + 3 + 8 + 9 + 19 + 13

100

Aryanism

1 + 18 + 25 + 1 + 14 + 9 + 19 + 13

100

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Only a Math Genius can Solve this Puzzle–Not Really!

 

Yaacov Apelbaum Sumerian mathematic tablet

 

One of the most popular math equation puzzles on social media is interesting because it doesn’t have one correct answer and it illustrates the nature of a solution divergence.

Here is an example. The following two problems can be solved correctly regardless if we use sum of the digits in the product or product of the sum of digits methods:

Set 1: 11×11=4
Set 2: 22×22=16
Set 3: 33×33=?

For first set
Method 1   11×11=121 then summing the digits in the products give us 1+2+1=4
Method 2   (1+1) x (1+1) = 4

and for second set
Method 1  22×22=484 then summing the digits in the product gives us 4+8+4=16
Method 2  (2+2) x (2+2) = 16

But when it comes to the next set of 33×33=? each solution diverges and will yield two different results (see result bellow for method 1 and 2).

Method 1 (sum of the digits in the product) it is: 33×33=18

33×33=1089 or 1+0+8+9= 18

Method 2 (product of the sum of digits) it is: 33×33=36

(3+3) x (3+3) = (6) x (6)=36

Here is a graphic solution for method 2

Yaacov Apelbaum If X and Y than Z

Here are the solution for the first 40 sets for each method.

Method 1

Method 2

11

11

121

4

11

11

4

22

22

484

16

22

22

16

33

33

1089

18

33

33

36

44

44

1936

19

44

44

64

55

55

3025

10

55

55

100

66

66

4356

18

66

66

144

77

77

5929

25

77

77

196

88

88

7744

22

88

88

256

99

99

9801

18

99

99

324

110

110

12100

4

110

110

400

121

121

14641

16

121

121

484

132

132

17424

18

132

132

576

143

143

20449

19

143

143

676

154

154

23716

19

154

154

784

165

165

27225

18

165

165

900

176

176

30976

25

176

176

1024

187

187

34969

31

187

187

1156

198

198

39204

18

198

198

1296

209

209

43681

22

209

209

1444

220

220

48400

16

220

220

1600

231

231

53361

18

231

231

1764

242

242

58564

28

242

242

1936

253

253

64009

19

253

253

2116

264

264

69696

36

264

264

2304

275

275

75625

25

275

275

2500

286

286

81796

31

286

286

2704

297

297

88209

27

297

297

2916

308

308

94864

31

308

308

3136

319

319

101761

16

319

319

3364

330

330

108900

18

330

330

3600

341

341

116281

19

341

341

3844

352

352

123904

19

352

352

4096

363

363

131769

27

363

363

4356

374

374

139876

34

374

374

4624

385

385

148225

22

385

385

4900

396

396

156816

27

396

396

5184

407

407

165649

31

407

407

5476

418

418

174724

25

418

418

5776

429

429

184041

18

429

429

6084

440

440

193600

19

440

440

6400

image

imageimage

It is interesting to note the series growth patterns for each method.  Where in method 1, the values tend to cluster around a range of several values (see pattern for 30K solutions), in method 2 the growth is polynomial.

 

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.

Pack of Asses in Shangri-La

Yaacov Apelbaum - Asses in Shangri-La
A Donkey Pack in Shangri-La: The first dumb ass on left is the laziest, he slows down the pack because he is always looking for something to eat. The group of jackasses in the middle just stand there contemplating the concept that death is a cosmic opportunity. The big ass on the right is their enlightened guru. He imparts to the pack the consciousness that forms the foundation of their spirituality and growth.

In September 2011, while on photography assignment for a nature show called Frozen Planet to Wood Buffalo National Park in Alberta, Canada, Chadden Hunter and his team captured some imagery of a wolf pack hunting bison. Hunter provided the following description of the image:

Yaacov Apelbaum - Pack of Wolves 1
Image 1: Chadden Hunter’s Original Wolf Pack Photograph

“A massive pack of 25 Timberwolves hunting bison on the Arctic circle in northern Canada. In mid-winter in Wood Buffalo National Park temperatures hover around -40°C. The wolf pack, led by the alpha female, travel single-file through the deep snow to save energy. The size of the pack is a sign of how rich their prey base is during winter when the bison are more restricted by poor feeding and deep snow. The wolf packs in this National Park are the only wolves in the world that specialize in hunting bison ten times their size. They have grown to be the largest and most powerful wolves on earth.”

Now, forward the clock by 4 years to December 17, 2015, a user named Cesare Brai publishes a post on an Italian-language Facebook page. He uses Hunter’s original image but provides this alternate verbiage:

“Un pacco di lupi: i primi 3 sono i vecchi o gli ammalati, danno il passo all’intero pacco. Se fosse l’altro, essi sarebbero stati lasciati indietro, perdendo il contatto con il pacco. Essere sacrificati, poi vengono 5 forti, la prima linea, al centro sono i restanti membri del paccho, poi i 5 più forti seguendo: l’ultimo è solo, l’alfa, controlla tutto dal retro, in quella posizione può vedere tutto, decide la direzione, vede tutto il pacco, il paccho si muove secondo i tempi più anziani e si aiuta reciprocamente, si guardano a vicenda “.

Cesare Brai FB
Image 2: Cesare Brai original Facebook post

Cesare Brai’s post is unusual, for the following reasons:

  1. From the post’s grammar it is clear that he is not a native Italian speaker
  2. Shortly after publication the post was taken down and Brai disables his FB account
  3. Cesare Brai has no internet presence beyond the wrong photo credit attribution

Three days later, on December 20, 2015, the Italian Facebook posting is translated into English and is posted again on Facebook by Barbara Hermel Bach. The translation appeared as follows:

Barbara Hermel Bach is with Deb Barnes.
December 20, 2015 ·

A wolf pack: the first 3 are the old or sick, they give the pace to the entire pack. If it was the other way round, they would be left behind, losing contact with the pack. In case of an ambush they would be sacrificed. Then come 5 strong ones, the front line. In the center are the rest of the pack members, then the 5 strongest following. Last is alone, the alpha. He controls everything from the rear. In that position he can see everything, decide the direction. He sees all of the pack. The pack moves according to the elders pace and help each other, watch each other.”  Cesare Brai’s photo.

Barbara Hermel Bach Facebook Post
Image 3: Barbara Hermel Bach’s original Facebook post

Ignoring for a moment the actual content of Bach’s posting, it is interesting to note that her verbiage is a reverse English translation of Cesare Bria’s Italian text which means that the text was most likely first written in English, then subsequently translated and posted in Italian under Brai’s name, and finally reposted in English under her name.

In her post, she attributed the photo credits to the mysterious Cesare Brai. It is a noteworthy mistake because her collaborator on this post is one Deborah Barnes, a professional animal photographer who judging from her multiple website copyright notices is very sensitive to issue of copyright infringement.

Deborah Barnes’s About Webpage
Image 4: Deborah Barnes’s Professional Pet Photographer About page

Barbara Hermel Bach Facebook Post
In terms of memetic engineering, the post was a hit! Within a few weeks, it went viral and has since garnered close to 480K views and over 237K shares. As you can see from just a few of the comments below, Bach’s new-age wolf pack narrative clearly struck a chord with her audience:

Yaacov Apelbaum - Wolf Pack Comments
Image 5: Sampling of the post feedback

Content Adaptation by Management Consultants and Corporate Trainers 
By 2016, Bach’s FB wolf pack leadership concept took the recruiters, management coaches, and efficiency consultants world by storm. Many of them embraced the idea and were thenceforth referencing and using the bogus narrative in their online publications.

Of special interest is the marking algorithm used by each of the publishers to re-brand the image and idea as theirs. As you can see from the few variations below, each poster altered the original image by using a simple variation on color, geometric shape, and/or arrow orientation.

Yaacov Apelbaum - Pack of Wolves 2

Yaacov Apelbaum - Pack of Wolves 3

Yaacov Apelbaum - Pack of Wolves 4

Yaacov Apelbaum - Pack of Wolves 5

Yaacov Apelbaum - Pack of Wolves 6
Image 6: Copycat variations on Bach’s original Facebook post

Why, Who, Where, and How?
So why all of the subterfuge, stratagems, and ruses? Why go through all of the trouble to hide Hunter’s name as the original photographer? Why alter the real location of the shot and go through all of the trouble of creating a sock puppet called Caesar Brai? And even now, why not just come out and either remove the original post (which is a blatant copyright violation) or just state for the record that the narrative is false? After all, even Hunter, the photographer who took the original shot posted on his Twitter account that he was being ripped off by Bach:

Chadden Hunter's Wolf Pack Posting
Image 7: Chadden Hunter’s tweet regarding the misappropriation of his original image

It’s hard to answer these questions with certainty. We know from the post that both Barnes and Bach created it. Using writing style analysis (JStylo-Anonymouth) suggests that Bach wrote the verbiage. But what was Barnes’ share? It is possible that as a professional animal photographer, she stumbled on Hunter’s original image and felt that she could repurpose it by attributing it to the fictitious Cesare Brai. As the ‘animal expert’ and spiritual guru who uses the motto “Life is all about a sense of community, about building connection and heart,” she could have also provided the new age insight into the wolf pack behavior.

Barbara and Deb
Image 8
: Barbara Hermel Bach and Deb Barnes

By 2015, four years have passed since the original wolf pack image was seen on Frozen Planet and the chance that anyone would remember it would be slim. So Barnes’s rational could have been that changing the name of the photographer and withholding the date and location of the shot would add three additional layers of obscurity to the image.

What I find the most interesting about this and Bach’s other posts is that they require a significant amount of effort in terms of planning and execution and that her network produces large amounts of these type of ‘progressive’ materials on regular basis.

Considering that Bach is a social activist with an aggressive political agenda and a member of a large community of similar minded individuals who distribute such high grade social propaganda, it’s plausible that these publications are part of some kind of an organized political media production line.

Yaacov Apelbaum - Resistance   Yaacov Apelbaum - Resistance

Yaacov Apelbaum - Resistance   Yaacov Apelbaum - Resistance
Image 9: Samples of the content that Bach’s Social Action network generates

Out of courtesy and to give Bach and Barnes the benefit of the doubt, I reached out to both of them to inquire about their sources of the image and verbiage. Alas, I have not received a response.

As far as the spiritual and uplifting content of Bach’s posting is concerned, there’s good news. Now you too can generate similar materials, and no, you don’t have to spend 7 lost years in Tibet on a soul searching journey. You can do so effortlessly with a few mouse clicks!

Just do as I did it with the “Pack of Asses in Shangri-La”. Pick a random animal pack image, go to the the inspirational BS Generator or Corporate BS Generator and in no time, you will be the leading ass who manages the pack from behind. Or as the BS generator would put it:

“You would be seamlessly innovating new backend leadership paradigms”.

References and Sourcing
XRVision Sentinel AI Platform – Face recognition, image reconstruction, and object classification

© Copyright 2017 Yaacov Apelbaum, All Rights Reserved.