Threat Exchange Network blog: April 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting IOCs via our API and numerous SIEM plugins.
The fight against cybercrime is a collaborative effort. Here you’ll find some of the top posts from our Threat Exchange Network over the past month.
Join for free today – in addition to fresh intelligence, members also have access to our automated elastic sandbox and real-time cyberthreat map, including details on active crime servers.
Europe hit with multi-stage malware loader via signed malspam
A multi-stage malware loader named JasperLoader has been detected, primarily targeting Italian and German objectives. The loader allows the attacker to execute PowerShell commands and download GootKit, a banking Trojan. It is distributed via malspam, but the emails are signed. The same loader has been used over the past year to distribute other malware, such as DanaBot or Emotet [211 IOCs] Learn more >
Exodus: new Android spyware made in Italy
Previously unknown spyware apps have been successfully uploaded to the Google Play Store multiple times in recent years. All identified variants of this spyware – around 25, at the last count – shared a similar disguise: in most cases they would be crafted to appear as apps distributed by unspecified mobile operators in Italy. The app description would reference some SMS messages the targets would supposedly receive leading to them to Play Store page. [34 IOCs] Learn more >
XWO: a Python-based bot scanner
A new malware family was recently discovered, actively scanning for exposed web services and default passwords. Based on the finding, it has been called ‘Xwo’ – taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock. [30 IOCs] Learn more >
Fake order delivering AveMaria stealer with difficult office doc
A new malware campaign distributed via email has been detected. The payload, embedded within a malicious Microsoft Word document has been identified as AveMaria stealer. [29 IOCs] Learn more >
DHS and FBI uncovered North Korean Hoplight malware in government network
A new sophisticated malware called “Hoplight”, operated by the North Korean government as Hidden Cobra has been spotted on the US government network. The variant was discovered to have nine executable files used by the attackers to steal sensitive data from the targeted network. Seven of these are proxy apps that are deployed by threat actors to mask traffic between the malware and remote operators. The proxies can fake TLS handshake sessions using valid public SSL certificates to establish a secure connection with remote attackers. [28 IOCs] Learn more >
Our community is growing daily – become a member for free and contribute to the network.