Community Newsletter July 2020

Blueliv Threat Exchange Network:

July IOC highlights

Connection discovered between Chinese hacker group APT15 and defense contractor

Cyber-security firm Lookout said it found evidence connecting Android malware that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an. Lookout’s report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, also the Tibetan community. The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions.
[1682 IOCs] Learn more >

New Voicemail-Themed Phishing Attacks Use Evasion Techniques and Steal Credentials

An increase in the use of voicemail as a theme for social engineering attacks has been recently observed. Several newly registered domains have been discovered using VoIP and voicemail for credential-stealing phishing campaigns. The focus of this social engineering campaign is to reach end users in large enterprises in order to obtain access credentials to sensitive information that can later be sold or held for ransom.
[94 IOCs] Learn more >

New on the scene: Darkvision RAT

A new remote access tool has been identified circulating in the cybercrime and hacking-related forums. This new RAT offers a wide range of plug-ins and extra functionalities like keylogging, webcam and mic live capture, etc. All these functionalities are loaded separately in individual .dll files that are selectively delivered to the infected machine without the need to write them to disk. With a price tag of only 40$ it has become a cheap and easy tool for any wannabe hacker surfing well known forums.
[59 IOCs] Learn more >

Latest Golden Chickens MaaS Tools Updates and Observed Attacks

Four new different attacks have been observed using malware as a service from the Golden Chickens portfolio throughout March and April. The analysis concludes that the MaaS Operator Badbullzvenom is responsible for the creation and updates of some GC tools: TerraLoader, a multipurpose loader with anti analysis techniques VenomLNK, a malicious Windows shortcut file more_eggs, a backdoor malware that cleans itself from memory after using it.
[44 IOCs] Learn more >

Thanos Ransomware | RIPlace, Bootlocker and More Added to Feature Set

Thanos ransomware burst onto the scene in late 2019, advertised in various forums and closed channels. Thanos is a RaaS (Ransomware as a Service) that provides buyers and affiliates with a customized tool to build unique payloads. Many of the options available in the Thanos builder are designed to evade endpoint security products, and this includes the use of the RIPlace technique. To date, Thanos appears to be the only widely-recognized threat making use of RIPlace, although the feature was not always part of the Thanos toolset.
[44 IOCs] Learn more >

Click the links below to read some of our research and industry blog posts

Blogpost cover
Blogpost cover
Blogpost cover
Blogpost cover
Blogpost cover

Discover more about Blueliv

Learn how Blueliv can help your organization manage cyber risk.

Read now
Demo Free Trial MSSP