Research

The latest contributions and threat intelligence analysis from Blueliv’s analyst team. Explore our reports and whitepapers, designed to help security teams of all sizes implement their value and improve their security posture.

research-blog
Drupalgeddon2 (SA-CORE-2018-002 / CVE-2018-7600) – an analysis of payloads observed in the wild 

on

April 18, 2018
A few weeks ago a highly critical Drupal vulnerability dubbed as Drupalgeddon2 (SA-CORE-2018-002 / CVE-2018-7600) was discovered and patched by Drupal developers. This security problem permits remote code execution...

GDPR-Accelerate-your-reaction-time
GDPR: Accelerate your reaction time, reduce your penalty

on

November 13, 2017
New whitepaper shows how threat intelligence can help mitigate the impact of GDPR on your business The new European Union General Data Protection Regulation (GDPR) is coming into force...

artificial-intelligence
Research from Blueliv honored at Artificial Intelligence & Machine Learning conference

on

November 3, 2017
Blueliv recently participated in the 20th International Conference of the Catalan Association for Artificial Intelligence (Congrés Català en Intel·ligència Artificial or CCIA), whose objective is to foster discussion among...

research-blog
Making the headlines: Bad Rabbit and Reaper malware

on

October 27, 2017
Though we process thousands of malware samples per day, very few of them attract the attention of the mainstream media in the way that Bad Rabbit and Reaper have...

research-blog
TrickBot banking trojan using EFLAGS as an anti-hook technique

on

October 6, 2017
In one of our analysis of the TrickBot banking trojan, we found an interesting anti-sandbox that catches (almost) all user-mode (ring3) sandboxes, and we would like to share it...

sonic-drive-in-credit-card-theft-detection-use-case
Sonic Drive-In | Credit Card Theft Detection Use Case

on

October 5, 2017
Photo courtesy Sonic Franchises On September 26, 2017, Sonic the U.S. fast-food chain based in Oklahoma City, OK, with about 3,600 locations across 45 states, acknowledged that their...

Avoid-being-the-next-Equifax
Data Breach | Avoid being the next Equifax

on

September 19, 2017
Image Courtesy CNN Money On 29 July 2017, Equifax, one of the big-three credit reporting companies, announced the discovery of a data breach exposing an estimated 143M Americans. Unauthorized...

security-posture
4 Strategies to bolster your 2017 security posture

on

September 1, 2017
Is your business prepared for a cyber threat? Here are some considerations to help you understand the important dynamics of your security posture strategies: End users are the number...

avoid-toxic-rogue-mobile-apps
Threat intelligence to help you avoid toxic rogue mobile apps

on

August 23, 2017
Image Courtesy BBC News How did my dad’s Uber account get hacked? Sometime around July 6, 2017, ABC News Brisbane reporter Josh Bavas, received 2 a.m. notification that someone...

brand-abuse
10 things you need to know about brand abuse and how to stay alerted to them

on

August 11, 2017
Brand abuse is a big problem, and it’s getting bigger. Between 2010-2014, the EU, US, and Japanese customs authorities seized and estimated €467.5M EU / $953.2M US / ¥100M...

Man-in-the-browser
How banks can protect customers from “Man in the browser attacks”

on

August 4, 2017
Criminal groups use a wide range of methods to compromise users and siphon its bank accounts, for this reason, when a user’s computer is infected by a malware, depending...

Targeted-malware-detection
Targeted Malware Detection

on

July 27, 2017
Today’s cyber criminal wants one thing. He wants to get his malware into your IT network because once he’s in, he can go to work–remotely–achieving the myriad of other...

leaked-data
Avoid the cost and headache of leaked data (here’s how)

on

July 20, 2017
“Leaked data falls into 4 types,” says Peter Gordon from SANS Institute: confidential information, intellectual property, customer data and health records. Data leakage, however, is not limited to deliberate...

colors-of-cybersquatting
The many colors of cybersquatting – Do not underestimate them

on

July 7, 2017
Blueliv Guest Post | Jean-Jacques Dahan, Managing Director and Expert Consultant for Online Brand Security & Global Domain Strategy at Zeusmark. Cybersquatting is a constant challenge for a company. It is...

ruthless-cybersquatters
Protect your business against ruthless cybersquatters

on

July 6, 2017
Also this week: Blueliv is pleased to announce a featured post on the subject of Cybersquatting from Jean-Jacques Dahan–Managing Director and Expert Consultant for Online Brand Security & Global...

Petya-ransomware-2
Petya Ransomware cyber attack is spreading across the globe – Part 2

on

June 29, 2017
Following our first blog providing an early analysis about Petya, we are sharing further findings of the malware analysis that we have performed. We divided this post into the...

Petya-ransomware-1
Petya Ransomware cyber attack is spreading across the globe – Part 1

on

June 27, 2017
As you might know, Petya Ransomware is currently devastating Airlines, Banks & Utilities and many other businesses across the globe. Denmark, France, Spain, Ukraine, and the USA are already...

phishing
Business threat intelligence | Win the fight against phishing attacks

on

June 21, 2017
Blueliv has one module that handles two of the main cyber threats targeted at businesses–Phishing and Cybersquatting. This module plugs into our threat monitoring Enterprise Platform Solution. For completeness,...

MRTI-Feed
Cyber Threat Intelligence Feeds | Secure your network before an attack

on

May 24, 2017
Which malicious malware attack does your boss need you to block today? Blueliv Cyber Threat Intelligence Feeds provide security information that’s granular, industry specific and on time. Experts from...

honeypots-wannacry
What our honeypots taught us about Wannacry ransomware

on

May 23, 2017
WannaCry has been on the lips, and especially in the concerns of everyone these last days. As we have addressed in recent posts, Friday, 12th May, marked the beginning...

wannacrypt-analysis2
WannaCrypt Malware Analysis

on

May 15, 2017
Last Friday, 12th May, a worm targeting outdated Windows machines was detected. The worm in question used leaked NSA exploits to propagate and dropped a variant of a ransomware...

credit-card-theft1
The real cost of credit card theft and how to protect your assets

on

May 11, 2017
Sometime in mid-February 2017, anti-fraud teams from multiple financial institutions contacted KrebsOnSecurity for help tracing the source of a credit card fraud happening in high-end restaurants around the U.S....

botnets
Peeling back the layers surrounding zombie computer botnets

on

May 3, 2017
What is a Botnet? To understand a botnet, you first must begin with a bot. A bot is an automated malware program or roBOT that takes control of a...

Deep-dive-into-the-dark-web
Deep dive into the Dark Web

on

April 11, 2017
What is the Dark Web? The Dark Web a part of the World Wide Web made up of a variety of anonymous networks, untraceable online activity and non-referenced URLs...

Mirai_code_2
Mirai: the people’s botnet

on

November 14, 2016
Mirai-botnet, the infamous IoT botnet, has struck again, and this time it almost took down an entire country; Liberia. Mirai botnet is a botnet that attempts to infect Internet...

ransomware
Ransomware – an up-to-date overview

on

November 9, 2016
Overview The Blueliv Threat Intel Research Labs team has recently analyzed a large amount of ransomware samples to obtain a global overview on the status quo of this malware...

ransomware
From Barcelona to London: Blueliv at RANT! Risk and Network Threat forum

on

September 30, 2016
This week Blueliv sponsored its first RANT forum event at The Counting House in London to share the findings from the recent technical investigation into banking Trojan Vawtrak v2....

Vawtrak
Vawtrak v2: The next big banking Trojan

on

September 20, 2016
This month Blueliv Threat Intelligence Research Labs team has published an exclusive report revealing the most complete picture of Vawtrak v2 malware seen to date. Vawtrak is a serious...

Vawtrak
Vawtrak banking Trojan: a threat to the banking ecosystem

on

August 19, 2016
Today marks the start of c0c0n International Cyber Security and Policing Conference 2016 where our Labs Research expert, Raashid Bhat, will be sharing insight into the threats posed by...

Ransomware chronology
Ransomware – How to defend yourself against it

on

August 3, 2016
What is Ransomware? Ransomware is a type of malware that has lately been increasingly in use by the cyber criminals. In order to profit from the distribution of Ransomware,...

Inside-Tinba-Infection-Stage-2
Inside Tinba Infection: Stage 2

on

July 22, 2016
This is a continuation of the first Tinba post, which is part of a series of posts on how Tinba gradually infects a system. Before we jump into analysis,...

Cyber-Attacks-Targeting-SWIFT
Cyber Attacks Targeting SWIFT – Recap

on

July 13, 2016
SWIFT stands for Society for Worldwide Interbank Financial Telecommunication, and its purpose is to allow banks and financial institutions in general to communicate securely. It is used in the...

Inside-Tinba-DGA-Infection-Stage-1
Inside Tinba-DGA Infection: Stage 1

on

June 7, 2016
Tinba DGA is a bank trojan that was first discovered in 2012. It is mainly distributed through malware spam emails or malvertising. Although not a new threat, Tinba is still...

Malware-grabbers-and-their-behavior
Malware grabbers and their behavior

on

April 8, 2016
Malware is made to serve very different kinds of purposes, which depend on the objective of the authors. Nowadays, there is a very large number of samples that exist...

Antihooking-techniques-used-by-Andromeda-aim-to-defeat-Cuckoo-like-sandboxes
Antihooking techniques used by Andromeda aim to defeat Cuckoo-like sandboxes

on

March 1, 2016
Some sandboxes, for example, Cuckoo Sandbox, implement a technique known as hooking. The hooking of functions allows the programmer, user or analyst to intercept calls, messages or events passed...

research-blog
Tracking the footprints of PushDo Trojan

on

February 1, 2016
PushDo Trojan is a downloader trojan responsible for downloading its spam counterpart and other malicious Trojans. Since its beginning, it has evolved into many different versions and in this...

Blueliv-Releases-Q3-2015-Global-Cyber-Threat-Report
Blueliv Releases Q3 2015 Global Cyber Threat Report

on

November 10, 2015
  Between July and September 2015 Blueliv detected and analyzed 5.5 million stolen credentials and credit cards, 300,000 targeted malware samples, and 500,000 crime servers through its cyber threat intelligence...

Revisiting-the-latest-version-of-Andromeda-Gamarue-Malware1
Revisiting the latest version of Andromeda/Gamarue Malware

on

November 5, 2015
Andromeda Malware aka Gamarue Malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to...

Dridex-reloaded
Dridex reloaded?

on

October 27, 2015
Dridex has been the scourge of banks regarding bank data and credential theft as well as fraud in the last 12 months. Cyber criminals have been improving the network...

Introduction-to-honeypots
Introduction to honeypots

on

September 29, 2015
As most of you already know, honeypots are hosts that act as a bait, exposing services on the internet in order to lure attackers. Below is a honeypots introduction....

Blueliv-Releases-Q2-2015-Global-Cyber-Threat-Report
Blueliv Releases Q2 2015 Global Cyber Threat Report

on

August 6, 2015
Through its cyber threat intelligence platform Blueliv detected and analyzed 5 million stolen credentials and credit cards, 200,000 targeted malware samples, and 500,000 crime servers between April and June...

research-blog
Blueliv discovers the Alina variant – Joker

on

August 4, 2015
Joker malware is a Point of Sale malware that was developed using, as a baseline, the Alina POS source code. After tracking it for some weeks, we’ve realized that...

Introduction-to-Android-Malware
Introduction to Android Malware

on

July 9, 2015
Hello everyone! As some of you already know, mobile threats are on the rise. Every day there are more and more mobile devices, which translates in more targets for...

research-blog
Webinar. Chasing the Cyber Crime: network insights of Dyre and Dridex Trojan Bankers.

on

June 29, 2015
We would like to invite you to the Chasing the Cyber Crime: network insights of Dyre and Dridex Trojan Bankers webinar on the 8th of July.  As you may already know,...

research-blog
Introduction to Blueliv’s API, part1

on

June 16, 2015
Greetings everyone! Today we want to introduce you a little bit more to our API and show you all the amazing things you can do with the data. This...

research-blog
Performing automated Yara Q&A with Cuckoo

on

May 21, 2015
As it is well known, Cuckoo Sandbox is a malware analysis system which allows us to customize both processing and reporting stages. In this context, we can feed Cuckoo with...

Blueliv-Releases-Q1-2015-Global-Cyber-Threat-Report
Blueliv Releases Q1 2015 Global Cyber Threat Report

on

May 13, 2015
  Blueliv reveals startling scale of cybercrime, pinpoints geolocations most affected Dyre and Dridex, the most nefarious banking Trojans Blueliv releases its Cyber Threat Report, revealing detailed figures on...

research-blog
Ciberamenazas emergentes. A qué nos enfrentamos y cómo lo combatimos

on

April 30, 2015
La revista de ciberseguridad SIC ha publicado en su número de abril el artículo escrito por Ramón Vicens, VP Threat Intelligence de Blueliv, y Víctor Acín, analista de Threat...

Blueliv-Releases-Q1-2015-Global-Cyber-Threat-Report
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers. (Report)

on

April 22, 2015
Trojan Bankers are a family of botnets that specialize in stealing information related to the financial sector and user data in order to sell it in underground marketplaces, some...

Main-PoS-infection-techniques
Main PoS infection techniques and how to avoid them

on

April 9, 2015
Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards,...

research-blog
The Equation Group: a new degree of sophistication in APT attacks

on

March 12, 2015
The Equation Group, what do we know so far? The topic of APT’s and state sponsored espionage has been back the news over the last few weeks. Based in...

research-blog
Blueliv Cyber Threat Intelligence Report. Q3 2014

on

November 26, 2014
Here you are the main conclusions of the just analyzed cyber threats that have been apparent on a global level during the third quarter of 2014, comparing them with the...

research-blog
Measuring the impact of Shellshock in the threat intelligence landscape

on

October 27, 2014
Once high profile vulnerability is released to the public, there are a lot of people who will use the opportunity to take advantage on vulnerable machines, even if it is...

research-blog
Defining the key elements of a cybersecurity strategy

on

September 18, 2014
There is not a day that goes by without some startling revelation about a new threat from emerging from the world of Cyber-Crime. Over the last few months there...

research-blog
The week of Russian leaks

on

September 12, 2014
This week some important leaks have arisen in on the Internet, all of them related to Russian users: 1.000.000 Yandex addressess and passwords. 4.500.000 Mail.ru addressess and passwords. 5.000.000...

research-blog
Cyber Threats keep growing. Blueliv’s Cyber Threat Intelligence Report.

on

August 12, 2014
Here you are the main conclusions of the just analyzed Cyber Threats which have been apparent on a global level during the second quarter of 2014, comparing them with...

research-blog
My Little Pony

on

May 29, 2014
One year ago our colleague Xylit0l wrote about the Pony stealer malware. It’s been a year and the Pony family has grown! Two malwares, at least, have been found...

research-blog
Origin of the infections and attacks during the first quarter of 2014

on

May 8, 2014
Blueliv has analyzed the main Cyber Threats which have been apparent on a global level during the first quarter of 2014, and in this post we are going to...

research-blog
Behind Point of Sale (PoS) attacks

on

April 24, 2014
In this previous article we showed how cybercriminals were trying to infect PoS devices with Dexter malware through pcAnywhere service, port 5631. Now, what we want is to analyze...

research-blog
AppCloud and the uprising SaaS Android trojan malware

on

April 9, 2014
Some weeks ago Intelcrawler informed of a large fraud campaign against major Islamic banking institutions and one from Spain.   The malicious code infected the mobile devices of banking...

research-blog
First million credit cards details released

on

April 3, 2014
1 million credit cards details over a set of 800 million was released on Pastebin early this week. Almost 1 million cards were allegedly leaked by Anonymous Ukraine on...

research-blog
Uncovering the new modus operandi behind POS infections

on

April 1, 2014
In the Cyber Fraud world there are numerous ways of doing business. One of the most well-known fraud activities that has been alive for years is the credit card...

research-blog
mount.cifs arbitary file identification 0day

on

April 25, 2012
Durante el wargame de la rootedcon 2012, además de participar, me dediqué a revisar un poco los sistemas. Puesto que no tenía disponible el /proc/kallsyms, hacer ataques al kernel,...

research-blog
Proxy multi-protocolo sha0proxy v2

on

March 7, 2012
Normalmente el desarollo de exploits requiere más tiempo del que uno tiene, de manera que hay que ingeniarse técnicas y herramientas que faciliten el trabajo. Personalmente, antes que parchear...

research-blog
Respuesta a Incidentes: Analizando un mailer desde la memoria

on

December 22, 2010
Es especialmente crítico que al detectar un incidente, como puede ser la infección por malware de cualquier equipo de una red interna, inmortalizar la “escena del crimen” con la...

research-blog
Resconstruyendo datos mediante el ingenio – Análisis forense en dispositivos móviles (II)

on

September 22, 2010
Existen situaciones en las que un investigador forense necesita sobrepasar las limitaciones técnicas intrínsecas a las herramientas existentes en la actualidad. Un claro ejemplo de esto sucede cuando el...

research-blog
Análisis Forense de una Infección – PARTE III

on

September 14, 2010
Tal y como comentamos en el post anterior, en el escrito de hoy vamos a realizar un análisis dinámico del malware. Concretamente, hemos tomado el ejecutable A0029519.exe situado en:...

research-blog
Detección de vulnerabilidades en servicios de red mediante fuzzing – Parte I

on

September 9, 2010
Una de las técnicas más utilizadas para la búsqueda de vulnerabilidades es el fuzzing. Consiste en probar, de forma más o menos inteligente, el comportamiento de una aplicación frente...

research-blog
Análisis Forense de una Infección por Malware – PARTE II

on

September 6, 2010
Retomando el tema de análisis de malware que introducimos en el post anterior “Análisis Forense de una Infección por Malware – PARTE I“, ahora nos centraremos más en analizar...

research-blog
Adquisición remota con Ad|Quiere

on

September 1, 2010
Con la salida de la nueva versión de Ad|Quiere,  se  ha incluido una aplicación que facilita la adquisición remota de la evidencia. Esta aplicación, “Reversessh”, establece un túnel inverso...

research-blog
Análisis Forense de una Infección por Malware – PARTE I

on

August 31, 2010
Incluso en el periodo estival cuando las personas normales tienen vacaciones, surgen incidentes de seguridad. Este es el caso de un conocido, quien muy amablemente ha prestado su ordenador...

research-blog
Cómo evadir las restricciones de seguridad establecidas en un kiosko

on

August 14, 2010
Se define como kiosco aquella máquina, puesta a disposición pública, para que usuarios utilicen los servicios ofrecidos por la empresa que facilita su acceso.   Seguro que muchos habéis...

research-blog
Análisis forense en dispositivos móviles (I)

on

August 9, 2010
De todos es sabido que los teléfonos móviles cada vez son más parecidos a un ordenador común. La punta de lanza de esta tendencia está encabezada por las dos...

research-blog
Nmap Querier (NQu)

on

June 19, 2010
Durante la ejecución de un pentest, recurrimos a muchas herramientas para obtener información que nos llevará a conducir el test de intrusión por un camino u otro. Entre esas...

research-blog
Meterpreter Cheat Sheet

on

June 15, 2010
Con el objetivo de contribuir en la divulgación de conocimiento en materia de seguridad informática y comunicaciones, desde blueliv, hemos desarrollado un “chuletario” de los comandos más relevantes de...

research-blog
Seguridad en entornos Lotus Domino

on

June 4, 2010
En un contexto globalizado, como el actual, es frecuente encontrarse con servidores Lotus Domino accesibles desde Internet, a través de su acceso Web. La mayoría de estos disponen de...

research-blog
Recuperando correos electrónicos de archivos PST

on

May 26, 2010
En las investigaciones forense en las que se investiga las posibles acciones fraudulentas efectuadas por un empleado de una Organización, es muy común, entre otros análisis, realizar un recuperación...

research-blog
Solución al reto forense #5 de Sans

on

May 15, 2010
El día 1 de Abril, Sans organizó un nuevo concurso forense desde la página http://forensicscontest.com/2010/04/01/ms-moneymanys-mysterious-malware. El concurso consiste en responder una serie de cuestiones que se nos plantean desde...

research-blog
Reconstrucción de sucesos mediante múltiples fuentes de evidencias digitales

on

May 12, 2010
Como en cualquier investigación, las digitales también requieren de en una reconstrucción de los hechos, donde un investigador dispone de una piezas de puzzle que deberá encajar para poder...

research-blog
La Clasificación de Vulnerabilidades bien entendida

on

May 6, 2010
La clasificación de las debilidades de seguridad en TI es realmente antigua. Ya en 1976, el proyecto RISOS, en su informe “Security Analysis and Enhancements of Computer Operating Systems”,...

research-blog
Sobre adquisiciones forenses y copia de discos duros

on

April 29, 2010
Como publicamos a principios de semana, con la colaboración de AEDEL (Asociación Española de Evidencias Electrónicas) hemos lanzado un proyecto que tiene por objetivo construir una distribución LiveCD específica...

research-blog
Reduciendo falsos positivos en las búsquedas de strings

on

April 15, 2010
Desde blueliv hemos encontrado diversidad de proyectos relacionados con el ámbito forense. Entre los más abundantes, los casos de fraude corporativo, dónde uno o varios trabajadores de la Organización...

research-blog
Volcando bases de datos mediante el uso de SQL Injection

on

April 13, 2010
Sobre los fundamentos de SQL Injection, pocas cosas nuevas pueden decirse. Basta con realizar breves búsquedas en Internet para encontrar información sobre sus principios, su explotación, técnicas de evasión...

research-blog
Desenmascarando una botnet mediante el uso de criptoanálisis

on

April 7, 2010
En los últimos tiempos estamos asistiendo a un auge significativo de botnets, puestas a la disposición de actividades fraudulentas, como pueda ser el robo masivo tanto de credenciales de...

research-blog
Cuando la ToIP se queda sin voz

on

April 5, 2010
La telefonía IP se usa ampliamente en las organizaciones. Por ello, es necesario que este servicio esté libre de amenazas, tales como la intercepción de comunicaciones o las denegaciones...

research-blog
Nuevos vectores de ataque vinculados al negocio

on

March 31, 2010
La lógica del negocio está condicionada por su diseño inicial, por lo que la seguridad en la lógica de negocio debe tenerse en cuenta desde el mismo instante en...

Community Trial Demo