B (2:31)

I also thought the history of where that exploit kit had been deployed was interesting in that it covered many years of iOS versions and it wasn't detected until in effect, this is my interpretation, that it had been sold on. So it was like the third or the fourth purchaser.

A (2:54)

It wasn't until it got to the criminals who were just going after the crypto wallets.

B (2:59)

Yep. And so that implied to me at least that the initial purchaser had used it very carefully. So it hadn't been picked up by Google who finally detected it because they were using it in a very opsec careful way. So it was. I'm interpreting that to mean that it was very targeted.

A (3:17)

Right. So I would absolutely agree. And I think that it's like it makes sense because if you're paying millions of dollars for something, you want to use it for things that will that justify that expense. I guess in other ways if there's something important enough to you that you would spend a million dollars trying to gain access to it, you probably want to be careful about that.

B (3:40)

You want to get return on investment.

A (3:42)

Yeah. And you want to. There's probably more than one of those things at that point.

B (3:46)

Like you're probably more than one person you want to hack.

A (3:52)

Exactly right. And so you're going to be careful and sparing. You're going to use sort of as much as you need plus one, I guess. Right. Like if you can get away with doing a phishing attack, you'll use a phishing attack. If you can use an N day, you'll use an N Day. If you have to use an iOS O Day, then it's going to be worth it sort of thing. And so yeah, it looks like they were careful probably even for the first. So like there's the authentic purchaser choose the US government and probably some other five eyes nations and it was never detected. Like my understanding is that if it was detected the bugs would be killed but the campaign would not be exposed sort of thing like Google would. They might have the courtesy of informing NSA like we're going to kill your bug. But they're not going to blow the whole campaign. They might give them like 90 days and ET cetera. So it went from there to the Russians and then it went from there. Ultimately it ended up being used by Chinese crypto wallet hackers who very likely did not pay a million dollars for it.

B (5:00)

And I think by that time it was viable for like a relatively small percentage of. Right.

A (5:06)

It was, it was all historic at that point.

B (5:09)

Yeah. So people who hadn't updated had old phones, whatever.

A (5:13)

What that says to me is that while it was a viable nation state tool, it was being sold to nation states at the high price. Once it had aged out and it was no longer as useful to a state, the seller was probably looking at how can I squeeze a last little bit of value out of this depreciating asset? Which is when they would go to anyone.

B (5:38)

Right. So that might be something like you've got an exclusive license to use this thing that we've stolen for X number of years or something or while, you know, n minus one current or something like that maybe. Yeah.

A (5:54)

So like, I mean the way I would say it is you sell it for big money to people who will pay big money when they get to a point where they're no longer going to buy it. Like they're not interested in it anymore because it's old. You then look at anyone who's willing to pay for something that might be valuable to them and you'll probably find, you know, like the crypto wallet guys will be like, look, I'll give you 200,000 for it. Right? Like it's worth something, but not very much. I mean 200,000 is quite a lot of money, but compared to the millions that you were getting before, it's a bit of a, like it's a huge letdown. But yeah, like that's, that's what I would assume would happen. At which point it basically it gets burned because these guys have paid very little money for it and they just want to hit as many things as they can to try and make their 200,000 back and then some and they just.

B (6:45)

Yeah, yeah. And to be clear, the crypto criminals in this case, they had a watering hole attack or they had a watering hole people visiting the site, it would try and grab their crypto wallet passphrases or whatever. And so they had a mechanism to actually turn it from an exploit into money again. And actually. Yeah, yeah. And so that's still a very high value activity actually because there's probably, I can't think of a better way to turn an exploit into money directly. So you know, it's still I guess quite valuable. Now that was Karuna, which is the UBU top tier prime example of.

A (7:30)

That's your triple A game sort of. That's your, your real top end now if you go to like one of the indie level, sort of.

B (7:39)

Yeah. So the, the Next Exploit kit, I guess that was published this week, there's a couple of different variants. I. So the top level name that Google gave it is Dark Sword, which I think may have been in the kit itself somewhere.

A (7:54)

Yes, they talk about comments somewhere. Yeah, yeah.

B (7:58)

And that seems it's more up to date but less capable, less sophisticated one might say. Yes, maybe that's a better word. I mean once you exploit a device, you've exploited it, it's yes or no. It doesn't matter how beautiful it is, I suppose.

A (8:15)

So the interesting there's a number of interesting things. One of them is the number of people who purchased it still seems fairly small. Right. You've got this.

B (8:26)

Right, Right. So there's three different reports that I've seen. There's one from Google Threat Intelligence Group, there's one from Iverify, and there's one from Lookout. So the Google report talks about essentially three different groups using the kit and it seemed like they kind of did their own implant afterwards to some extent at least. So one was Saudi Arabian users targeted via a Snapchat themed website.

A (8:57)

Okay.

B (8:58)

The second one, which they gave a different name was a Turkish commercial surveillance vendor selling it to users in Turkey and Malaysia. And so that that surveillance company is called Pars Defense P A R S. And then the third user was the Russians and they'd also used Karuna and they were targeting people in Ukraine.

A (9:23)

Right. And they ge the IPs to specifically target Ukrainian users. They were using compromised Ukrainian sites, but then they also geofenced the IPs so that only Ukrainian users that hit those Ukrainian sites would be hit. Like to me that says targeted. Like it's a broad target, but it is targeted. Right, Like Ukraine is a target.

B (9:48)

Yeah, yeah. And I mean the websites were purporting to be Ukrainian government as well, so niche stuff. I've got to say I'm a bit surprised that it was geo fenced to Ukraine. But I guess that implies that if you've got a military purpose, it's a

A (10:02)

security thing, I would think. Right. Because you're going to have Google web crawling. Right?

B (10:08)

Okay. Yep, yep.

A (10:09)

Right. And you would want to not send your exploit to Google's web crawler or any of the other web crawlers out there. That's how I would interpret that. Not that it was a politeness thing where they just didn't like in case it's the Polish, we better not hack them. That would go over really badly. It was one of those.

B (10:27)

Well, I was just thinking that if it's a military thing and you've got a military purpose, why, I guess it just saves you filling up your database with stuff that you're not going to is not actionable for what you're trying to do.

A (10:38)

I guess I would agree with that in that you're probably looking to sort of hit only the targets that you want. And I would say that that includes not hitting targets you don't want, such as a Google web crawler or an AI scraper or something like that. So it's a sort of a security mechanism as well. Would be my thing.

B (10:58)

So it's interesting to me this like just looking through the different reports, the very strong vibe you get is it's not as sophisticated, which we'll talk about, I think.

A (11:10)

You know, I'm not saying that there's a problem. Indie developers sort of putting out their own thing. It's good. We want to have an ecosystem where there's a lot of people taking part and sort of there can be a lot of creativity outside of these AAA studios. But you know, but I think it's

B (11:27)

interesting that there was a number of customers immediately, even though it's still a current at the time. Well, I guess iOS 18. So more current.

A (11:36)

It was current at the time, I think.

B (11:38)

Yep.

A (11:39)

Or current. Ish.

B (11:40)

Right. So I think it's interesting that even though it's more current. So it's. And hang on, I think the Google said that they had detected it from November 25th, which is like. Hang on.

A (11:52)

Yeah, 26 came out in September. Right.

B (11:56)

Yeah, yeah, that's. So it's possible that it's the. As soon as you're not current, the aperture of customers opens up.

A (12:05)

Right. I like. I don't imagine a Turkish surveillance vendor is your number one go to customer. If you have this capability, you're probably going to try and sell to someone in the west first. You know how I would parse this? NATO customers. Right, right. Like you're, you're selling, you're selling this thing you expanded to like the. From five eyes to NATO to. At some point it sort of gets resold by someone that you've sold it to. You know, it sort of goes down the chain.

B (12:40)

Right? Yeah. So Google says they first detected it. If I'm reading their timeline. Right. In the Saudi Arabian. The customer targeting Saudi Arabian users.

A (12:52)

See, I bet you they didn't geofence. That was their mistake.

B (13:00)

So I've got to say some of the stuff in the reports is quite amusing.

A (13:09)

As we said that there's these sort of three tiers of use cases. The Turkish Malaysian axis, the Saudi Arabians and then the Russian users. It seems like the Turkish surveillance company put quite a bit of effort into customizing, securing, making it more stealthy, adding functionality. Like they took the sort of bare bones raw exploit kit and they customized it to work properly for their environment and to not be easily detected and to do what they needed it to do.

B (13:44)

Yep, yep. I mean Google says unlike the Saudi activity, this campaign was carried out with more attention to opsec with obfuscation applied to the exploit loader and some of the exploitation stages. They used encryption to encrypt exploits between the server and the victim.

A (14:00)

Yep. That sounds responsible. I would say, like that's what you should be doing.

B (14:05)

Yeah.

A (14:06)

However, like, we can, we can kind of skip the Saudi one because the Russian one is hilarious. I think there's not so much info on the Saudi one, but like the Russian one, it's sort of, it's very bare bones. I think that the, like, when they purchased the kit, they got it complete with source code. So it's going to have like comments, it's going to have usable names, it's going to be clearly like you're going to see clear indications of what everything is. And so just to back up ever so slightly, the way that Lookout and Iverify got involved in this is when the Karuna announcement came out, Lookout went through all of their, like their data sets looking for logs and things like that to see has this thing occurred in our log base. They found a related URL that had almost the exact same, like it had the same components with a small change. And they thought, huh, this might be something. And then they saw that the full URL ended with rcemodule js.

B (15:13)

I think some of the names are great. What else is there?

A (15:18)

See, I think there's probably just going to be a lot of false positives because you're going to hit react container element all the time.

B (15:29)

Yeah. And the other one is S box, S box, SBX0, sandbox escape.

A (15:39)

And then the next one was Peloader, which is privilege Escalation Loader. But all of that said, while they didn't seem to have done any customization on the exploits, they did add a bunch of functionality to the implant.

B (16:03)

Yeah. So there's a list here of what the capabilities are.

A (16:10)

So it does the sort of things that you'd expect. You're getting the WhatsApp data, the SMS database, call history, contacts, Safari history, the bookmarks, the browser state, the cookies, locations, notes, calendars, photos, health, device identifiers, configuration

B (16:32)

preferences, SIM cards, basically everything that's consistent with state espionage. These are all the things you just grab, Right?

A (16:41)

Right. Just absolutely everything, you know, and then it grabs all the other stuff that you expect. Coinbase, Finance Ledger, Trezor Trust Wallet, Metamask, Electrum Blockstream Bread Wallet, Mycelium Samurai Blue Wallet.

B (17:04)

So like, I presume this is just the Russian State hackers going, oh, well, I'm doing a bit of hacking, I may as well make some money on the side, I suppose.

A (17:16)

I think this is what happens when your recruitment pool includes a lot of people with a criminal background, right, like, you go to them, you go like, look, we've got this kit. What we need you to do is customize it and make it ready for deployment. So the guy takes it and rather than going through and changing RCE loader to widget js, he goes through and he goes, ah, I see what it's missing. There's nothing for crypto in here. Why don't I just fix that for you? Right. My initial thought was that the people selling it probably added some implant functionality of their own so that there'd be like a revenue stream in addition to licensing. But it seems that only the Russian one has this one. Only the Russian variant has this capability, which makes me think that it was the operators deploying it who just expanded it.

B (18:13)

Yeah, that seems right. It's only that particular one targeted Ukraine that has that.

A (18:19)

Yeah, I was going to say the one other interesting thing about the way that it works is that it runs entirely in JavaScript, at least the Russian one. I'm not sure I didn't say anything about the others, but it doesn't deploy anything at all. There's no persistence mechanism, it doesn't have any injections, it just runs in JavaScript, collects everything in temp bundles, it exfiltrates it and then it's done. It leaves the device, which is very. That's a very weird way of operating, except it's surprisingly good opsec for people who use RCE loader for a module of their exploit kit. It's incredibly light touch. Except that it isn't.

B (19:12)

Well, I was thinking about that in the context of what you said about recruiting criminals and so perhaps that there's a way of doing things that is still inherited from the good times and that now you've got people operating within that framework of. Well, yeah, no, we don't. We don't do the work to put in.

A (19:33)

Right.

B (19:33)

Persistent implants.

A (19:35)

I mean, once someone's. Once someone's wallet is drained, they're not going to top it up again on the same phone.

B (19:42)

Yeah. And I think a lot of the things that you grab, like account credentials and authentication tokens and stuff like that, so you don't need to necessarily stay on the device.

A (19:52)

Right. Once you have their authentication tokens, who cares what they do afterwards? You're better off not leaving traces, actually, that's the better way to handle it.

B (20:04)

So overall, I think that it seems like a tale of two types of implants or two types of exploit kits here. Where you've got the ubiquit super duper one and then you've got this newer version, not as good, but they're still falling in the same operational paradigm of when they're very, very, very valuable, they're used carefully and with a lot of opsec. As they age out or become less relevant, they're deployed more widely. At that point they get picked up by in both cases, I guess Google. And at that point they're patched. In terms of being like a regular person, I'm not thinking that my threat, my risk has changed at all.

A (20:56)

Because if you update within the first few days of the update becoming available, I think that you would have been safe from all of these.

B (21:08)

And there's also lockdown mode as well.

A (21:10)

Right.

B (21:10)

So I think all the ones I've read, it's basically said if you had lockdown mode there would have had to be extra.

A (21:17)

Yeah, it would not have worked. Look, if you're targeting someone who's on a version behind, they're not on a version behind and using lockdown mode, it's a Venn diagram with no intersection at all. Right. It's pretty safe.

B (21:34)

Now having said that, I am not a crypto person, so I feel particularly. Is it safe? I guess so. I feel like I'm not in that target demographic because that's still a high value target for I don't have my

A (21:51)

personal wealth on my phone. If you're doing a risk assessment, I would say that that's probably the problem that you should look at. Not how well is your phone protected, it's that it's on your phone. Like what is wrong with you?

B (22:12)

So if you have a crypto phrase, perhaps don't take a photo of it and store it in your phone. Is that the. That's the take home message, the big picture take home message.

A (22:21)

The big picture take home message is update your iOS and forget about this. Like it's not. If you listen to between two Nerds, you're one of the smartest people on the planet and you're not a target demographic for this because you update your phone. So I wouldn't worry about it, but

B (22:45)

I kind of think that the listeners of Between2Nerds are amongst the elite of the cyber policy world. Right.

A (22:54)

So look, I wouldn't worry about this sort of kit, I'd worry about current

B (22:58)

ones which the ones we don't know about.

A (23:02)

Oh, good.

B (23:05)

Feels much better.

A (23:06)

Yeah. You know, you're not in the like the sort of second rate cast off, hand me down exploit kit range. You're at the top tier. Bespoke, tailored, top end.

B (23:18)

Right, okay. Yeah, I see the message now. So you and I don't need to worry about it. It's just all our listeners that need to worry about. What a relief.

A (23:30)

Thanks a lot, Tom.

B (23:32)

Thanks, Rock.