Threat Exchange Network blog: March 2019

The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create your own intelligence feed for free by exporting these IOCs via our API and numerous SIEM plugins.

The fight against cybercrime is a collaborative effort. Here you’ll find some of the top posts from our Threat Exchange Network over the past month.

Join for free today – in addition to fresh intelligence, members also have access to our automated elastic sandbox and real-time cyberthreat map, including details on active crime servers.

Fake ADP Tax Billing Records delivers Trickbot
The Trickbot delivery system, payloads and configs continue to evolve. This latest example imitates a legitimate email from ADP but actually comes from a look-a-like, typosquatted or other domain that can easily be misidentified, mistaken or confused with the genuine site. The malicious office file attachment in question is a macro-enabled XLS Excel spreadsheet in this case. Because of new GDPR rules we cannot easily find the registrants name or any further details. [17 IOCs]  Learn more >

Gaming industry still in the scope of attackers in Asia
Two games and one gaming platform application have been compromised to include a backdoor. The backdoor is then used to distribute malware disguised as legitimate software. Given that these attacks were mostly targeted against Asia and the gaming industry, it shouldn’t be surprising if they are the work of the group described in Kaspersky’s “Winnti – more than just a game.” [23 IOCs] Learn more >

C2 Server actively compromising thousands of victims discovered
A global cyberattack campaign was discovered leveraging a new strain of the Qbot banking malware. The campaign is actively targeting US corporation but has hit networks worldwide with the goal of stealing proprietary financial information, including bank account credentials. [20 IOCs] Learn more >

New Kit on the Block: Spelevo EK (CVE-2018-15982)
According to reports, this new exploit kit is using this Flash Player vulnerability to gain access to unpatched systems. Successful exploitation could lead to arbitrary code execution. The Spelevo exploit kit is believed to have some similarities with “SPL EK”, mainly seen in 2012 and 2013 and most often associated with ZeroAccess and Scareware/Fake AV. [17 IOCs] Learn more >

Fake DHL Urgent Delivery notice delivers Gandcrab 5.2 ransomware
Another Gandcrab ransomware campaign spoofs DHL Express with a fake delivery notification email. The threat actor appears to have become a little lazy, reusing a similar word template with a CDC version to deliver its malware. It is likely that they are using an off-the-shelf exploit kit, rather than developing the documents themselves. [13 IOCs] Learn more >

Our community is growing daily – become a member for free and contribute to the network.

Read our free cyber security and cyber threat reports

Read now
Demo Free Trial MSSP