Research

The latest contributions and threat intelligence analysis from Blueliv’s analyst team. Explore our reports and whitepapers, designed to help security teams of all sizes implement their value and improve their security posture.

research-blog
Spanish consultancy Everis suffers BitPaymer ransomware attack: a brief analysis
On 4th November 2019 researchers and the media reported a massive ransomware attack against several Spanish companies. Some of this news was exaggerated as it transpired that just two companies confirmed a security incident. However, both companies were attacked by a different threat actor.  This blog post will seek to clarify some details concerning the attack against Everis, which was different to...
research-blog
An analysis of a spam distribution botnet: the inner workings of Onliner Spambot
  Table of contents Introduction Modular Design Worker Module Onliner Custom XOR key generation algorithm Checker SMTP Module Mailer Module Conclusion IOCs   Introduction Successful cybercrime campaigns make use of different elements working together to achieve their common goal. In the case of Onliner, the spambot appears to be...
research-blog
Old tricks still work
There are many well-known anti-VM / anti-sandbox tricks in targeted malware. However, most up-to-date sandboxes have fixed them, or they can be fixed easily by modifying the VM in which the malware sample will run. In this article we will examine a particular technique that exploits a design flaw...
threat intel industry
Threat Exchange Network blog: May 2019
The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting...
Sweet Dream(s): An examination of instability in the darknet markets
These past few weeks in cyber underground news have seen the surprising hat trick of the passage of the self-imposed deadline for the closure of the notorious Dream Market, the law enforcement seizure of Valhalla Market, and the law enforcement takedown and arrests of admins associated with the Wall Street Market.  Many of the trends observed following...
Threat Actor activity: a quick recap
In our recent Threat Landscape Report we profiled several active threat actors which have made an impact over the past year. All of the threat actors in this article remain under close observation. Sharing this intelligence is part of our ongoing mission to collaborate with industry peers, enrich the...
research-blog
Where is Emotet? Latest geolocation data
Emotet is an old malware threat that continues to affect many users and companies around the world. Once a machine has been infected, a number of things can happen—but typically, new malware is deployed and credentials are stolen. Emotet’s business model is based on distribution groups – the stolen...
Fraud and cybercrime in Latin America: an evolving threat landscape
Internet penetration is rapidly increasing in Latin America. Mobile usage is commonplace, and more people own bank accounts than ever before which means online transactions are also on the rise. This is great news for innovative Latin American companies, and consequently, cybercriminals targeting them. With higher levels of growth...
Selling FormBook
Our home city Barcelona hosted BSides last week, where the information security community across Europe gathered discuss the current security landscape. Members of our Labs team were invited to present research into FormBook, one of the most notorious info-stealers and form-grabbers in recent years. The fight against cybercrime is...
Overview and thoughts about Shamoon3 toolkit
Introduction On August 15, 2012, a computer attack left “out of the box” about 30,000 Windows systems of the Saudi Aramco oil company. The incident had a significant impact on businesses processes and production at the company, which took weeks to return to normal activity. The malware deployed in...
Annual Cyberthreat Landscape report shines spotlight on credential theft and expanding Latin America market
Today we launch our Annual Cyberthreat Landscape Report for 2018-19, providing insights into emerging and evolving cybersecurity trends. By sharing intelligence and collaborating with the industry, we are in a much better position to fight cybercrime this year. The report reveals that botnet stolen credentials increased by a staggering fifty...
Sales of AZORult grind to an AZOR-halt
Author of Popular Credential Stealer Announces End of Sales Key Points In late December, the author of the AZORult stealer publicly stated that he would be ending sales of the malware. AZORult has been advertised on Russian-language cybercrime forums since at least 2016 and has become fairly popular among...
research-blog
CryptoAPI in Malware
For a considerable period, cryptography algorithms with varying levels of complexity have been detected in most malware families. Many have different purposes, from decrypting configuartions carried by the malware or downloaded from a server, to encrypting communications with C2s, to encrypting user files in the case of ransomware, and...
Managing cyber-risk: Cyberthreat intelligence and the Insurance sector
Organizations in all sectors face increasingly virulent and sophisticated cyberthreats on a weekly, if not daily basis. The insurance sector is particularly at risk.  From organized criminal groups seeking PII (personally identifiable information), financial account data and anything else that can be monetized, to hacktivists trying disrupt the day-to-day...
research-blog
ARS Loader evolution, a new stealer (ZeroEvil) and AirNaine (TA545)
This blog post details the research performed by the Blueliv Labs team and presented by Jose Miguel Esparza at Virus Bulletin in Montreal. The research is related to ARS Loader and its evolution, the appearance of a new stealer based on ARS, ZeroEvil, and how both malware families have...
research-blog
Drupalgeddon2 (SA-CORE-2018-002 / CVE-2018-7600) – an analysis of payloads observed in the wild 
A few weeks ago a highly critical Drupal vulnerability dubbed as Drupalgeddon2 (SA-CORE-2018-002 / CVE-2018-7600) was discovered and patched by Drupal developers. This security problem permits remote code execution (RCE) without user authentication and affects the Drupal core of versions 7, 8 and the unmaintained 6 too. Aside from...
GDPR-Accelerate-your-reaction-time
GDPR: Accelerate your reaction time, reduce your penalty
New whitepaper shows how threat intelligence can help mitigate the impact of GDPR on your business The new European Union General Data Protection Regulation (GDPR) is coming into force soon, and personal data breaches will be among the most seriously penalized issues a company can face. In fact, an organization in breach of GDPR...
artificial-intelligence
Research from Blueliv honored at Artificial Intelligence & Machine Learning conference
Blueliv recently participated in the 20th International Conference of the Catalan Association for Artificial Intelligence (Congrés Català en Intel·ligència Artificial or CCIA), whose objective is to foster discussion among the local Artificial Intelligence & Machine Learning research community. Blueliv’s Daniel Gibert presented a poster of his collaborative work on...
research-blog
Making the headlines: Bad Rabbit and Reaper malware
Though we process thousands of malware samples per day, very few of them attract the attention of the mainstream media in the way that Bad Rabbit and Reaper have recently. Here’s a quick overview, their potential impact on business and some suggested mitigation techniques to help you and your...
research-blog
TrickBot banking trojan using EFLAGS as an anti-hook technique
In one of our analysis of the TrickBot banking trojan, we found an interesting anti-sandbox that catches (almost) all user-mode (ring3) sandboxes, and we would like to share it with you. hash: 2ebeef906142f328168e7e62e8be7fbaee48e3521853d76ea778005ada6e938a The sample does something like this: lea eax, ; 1. prepare buffer for GetSystemTime push...
sonic-drive-in-credit-card-theft-detection-use-case
Sonic Drive-In | Credit Card Theft Detection Use Case
Photo courtesy Sonic Franchises On September 26, 2017, Sonic the U.S. fast-food chain based in Oklahoma City, OK, with about 3,600 locations across 45 states, acknowledged that their payment processor detected some unusual activity. “The first hints of a breach at the Oklahoma City-based fast-food chain came last...
Avoid-being-the-next-Equifax
Data Breach | Avoid being the next Equifax
Image Courtesy CNN Money On 29 July 2017, Equifax, one of the big-three credit reporting companies, announced the discovery of a data breach exposing an estimated 143M Americans. Unauthorized access took place between mid-May through July 2017. One source has called this a category-5 event.   Details of the...
security-posture
4 Strategies to bolster your 2017 security posture
Is your business prepared for a cyber threat? Here are some considerations to help you understand the important dynamics of your security posture strategies: End users are the number one security risk in any organization Your security strategy needs to be adaptable to a changing threat landscape BYOD, 3rd-party...
avoid-toxic-rogue-mobile-apps
Threat intelligence to help you avoid toxic rogue mobile apps
Image Courtesy BBC News How did my dad’s Uber account get hacked? Sometime around July 6, 2017, ABC News Brisbane reporter Josh Bavas, received 2 a.m. notification that someone had just accessed his Uber account in Los Angeles and shortly after, someone in Moscow. (He was in Australia.) He...
brand-abuse
10 things you need to know about brand abuse and how to stay alerted to them
Brand abuse is a big problem, and it’s getting bigger. Between 2010-2014, the EU, US, and Japanese customs authorities seized and estimated €467.5M EU / $953.2M US / ¥100M JA in counterfeited products from China alone. The next 4 countries–Hong Kong, Turkey, Greece, and Panama–accounted for another third. Brand...
Man-in-the-browser
How banks can protect customers from “Man in the browser attacks”
Criminal groups use a wide range of methods to compromise users and siphon its bank accounts, for this reason, when a user’s computer is infected by a malware, depending on its main goal and its capabilities, it could use multiple methods to obtain sensitive information, such as changing the...
Targeted-malware-detection
Targeted Malware Detection
Today’s cyber criminal wants one thing. He wants to get his malware into your IT network because once he’s in, he can go to work–remotely–achieving the myriad of other criminal activities he and his accomplices have in mind. Your best defense against targeted malware is to thwart the criminal...
leaked-data
Avoid the cost and headache of leaked data (here’s how)
“Leaked data falls into 4 types,” says Peter Gordon from SANS Institute: confidential information, intellectual property, customer data and health records. Data leakage, however, is not limited to deliberate efforts of cyber espionage. In fact, a surprising amount of it tends to be the result of human error–well into...
colors-of-cybersquatting
The many colors of cybersquatting – Do not underestimate them
Blueliv Guest Post | Jean-Jacques Dahan, Managing Director and Expert Consultant for Online Brand Security & Global Domain Strategy at Zeusmark. Cybersquatting is a constant challenge for a company. It is a broad concept involving many aspects of risk, speculation, and fraud. It should not be underestimated as it provides a...
ruthless-cybersquatters
Protect your business against ruthless cybersquatters
Also this week: Blueliv is pleased to announce a featured post on the subject of Cybersquatting from Jean-Jacques Dahan–Managing Director and Expert Consultant for Online Brand Security & Global Domain Strategy, Zeusmark. This article continues the discussion begun with the Phishing module article. Now, the focus will be on...
Petya-ransomware-2
Petya Ransomware cyber attack is spreading across the globe – Part 2
Following our first blog providing an early analysis about Petya, we are sharing further findings of the malware analysis that we have performed. We divided this post into the three areas we have briefly analyzed after the Petya attack: the propagation techniques of the malware, the encryption techniques used,...
Petya-ransomware-1
Petya Ransomware cyber attack is spreading across the globe – Part 1
As you might know, Petya Ransomware is currently devastating Airlines, Banks & Utilities and many other businesses across the globe. Denmark, France, Spain, Ukraine, and the USA are already impacted and many others might be too in the coming hours. So far, it seems that the sample is being...
phishing
Business threat intelligence | Win the fight against phishing attacks
Blueliv has one module that handles two of the main cyber threats targeted at businesses–Phishing and Cybersquatting. This module plugs into our threat monitoring Enterprise Platform Solution. For completeness, we’ll divide these threats into separate articles. First, it’s important to understand the inherent nature of these attacks. Criminals who...
MRTI-Feed
Cyber Threat Intelligence Feeds | Secure your network before an attack
Which malicious malware attack does your boss need you to block today? Blueliv Cyber Threat Intelligence Feeds provide security information that’s granular, industry specific and on time. Experts from respected think tanks like Gartner and RSA agree. Knowledge-based information and targeted action are having a profoundly positive effect on...
honeypots-wannacry
What our honeypots taught us about Wannacry ransomware
WannaCry has been on the lips, and especially in the concerns of everyone these last days. As we have addressed in recent posts, Friday, 12th May, marked the beginning of a massive global campaign to spread the WannaCry ransomware (a.k.a. WCry, WannaCrypt, WCrypt, WannaCrypt0r…). The ransomware spreads through a...
wannacrypt-analysis2
WannaCrypt Malware Analysis
Last Friday, 12th May, a worm targeting outdated Windows machines was detected. The worm in question used leaked NSA exploits to propagate and dropped a variant of a ransomware called WannaCrypt. This post will try to give you an insight into the infection process, as well as the spreading...
credit-card-theft1
The real cost of credit card theft and how to protect your assets
Sometime in mid-February 2017, anti-fraud teams from multiple financial institutions contacted KrebsOnSecurity for help tracing the source of a credit card fraud happening in high-end restaurants around the U.S. Investigations revealed a vast majority of patrons with compromised cards dined in locations run by Select Restaurants, Inc., a management...
botnets
Peeling back the layers surrounding zombie computer botnets
What is a Botnet? To understand a botnet, you first must begin with a bot. A bot is an automated malware program or roBOT that takes control of a computerized device. That single, infected computer, or connected device, joins a larger roBOT NETwork–or BOTNET. Once hijacked, these devices transform...
Deep-dive-into-the-dark-web
What is the Dark Web?
Deep dive into the Dark Web The Dark Web a part of the World Wide Web made up of a variety of anonymous networks, untraceable online activity and non-referenced URLs and domains. It is only through software that enables users to browse these networks anonymously. The most common network...
Mirai_code_2
Mirai: the people’s botnet
Mirai-botnet, the infamous IoT botnet, has struck again, and this time it almost took down an entire country; Liberia. Mirai botnet is a botnet that attempts to infect Internet of Things (IoT) devices to perform DDoS attacks, and was recently used to perform the largest DDoS attack ever which...
ransomware
Ransomware – an up-to-date overview
Overview The Blueliv Threat Intel Research Labs team has recently analyzed a large amount of ransomware samples to obtain a global overview on the status quo of this malware family. We’re sharing our conclusions here. Think before you pay We’ve found that in some cases, ransomware encrypts your data...
ransomware
From Barcelona to London: Blueliv at RANT! Risk and Network Threat forum
This week Blueliv sponsored its first RANT forum event at The Counting House in London to share the findings from the recent technical investigation into banking Trojan Vawtrak v2. Ramon Vicens, VP of Threat Intelligence Research Labs, talked through the analysis and was met with lively debate from the...
Vawtrak
Vawtrak v2: The next big banking Trojan
This month Blueliv Threat Intelligence Research Labs team has published an exclusive report revealing the most complete picture of Vawtrak v2 malware seen to date. Vawtrak is a serious threat to the finance sector and is predicted to be the next major banking Trojan. Chasing cybercrime: Network insights into...
Vawtrak
Vawtrak banking Trojan: a threat to the banking ecosystem
Today marks the start of c0c0n International Cyber Security and Policing Conference 2016 where our Labs Research expert, Raashid Bhat, will be sharing insight into the threats posed by the Vawtrak Trojan, one of the most prevalent banking Trojans around today. It promises to be an unmissable session based...
Ransomware chronology
Ransomware – How to defend yourself against it
What is Ransomware? Ransomware is a type of malware that has lately been increasingly in use by the cyber criminals. In order to profit from the distribution of Ransomware, the bad guys have been targeting numerous businesses and large organizations around the world. In essence, the Ransomware malware is...
Inside-Tinba-Infection-Stage-2
Inside Tinba Infection: Stage 2
This is a continuation of the first Tinba post, which is part of a series of posts on how Tinba gradually infects a system. Before we jump into analysis, let’s do a quick recap of the previous actions performed by Tinba and described in the STAGE 1 post: Prepares...
Cyber-Attacks-Targeting-SWIFT
Cyber Attacks Targeting SWIFT – Recap
SWIFT stands for Society for Worldwide Interbank Financial Telecommunication, and its purpose is to allow banks and financial institutions in general to communicate securely. It is used in the exchange of information between banks, such as transactions. In this post you will get a short summary of the incidents...
Inside-Tinba-DGA-Infection-Stage-1
Inside Tinba-DGA Infection: Stage 1
Tinba DGA is a bank trojan that was first discovered in 2012. It is mainly distributed through malware spam emails or malvertising. Although not a new threat, Tinba is still one of the used trojans by criminals to steal online banking sensitive information. There are a number of papers on how...
Malware-grabbers-and-their-behavior
Malware grabbers and their behavior
Malware is made to serve very different kinds of purposes, which depend on the objective of the authors. Nowadays, there is a very large number of samples that exist and it is common to classify them into different categories based on their behavior. This post provides an overview of...
Antihooking-techniques-used-by-Andromeda-aim-to-defeat-Cuckoo-like-sandboxes
Antihooking techniques used by Andromeda aim to defeat Cuckoo-like sandboxes
Some sandboxes, for example, Cuckoo Sandbox, implement a technique known as hooking. The hooking of functions allows the programmer, user or analyst to intercept calls, messages or events passed between a program and its libraries. This is very useful when analyzing malware because it allows the reverse engineer to view...
research-blog
Tracking the footprints of PushDo Trojan
PushDo Trojan is a downloader trojan responsible for downloading its spam counterpart and other malicious Trojans. Since its beginning, it has evolved into many different versions and in this blog post, we will make a deeper analysis of it. The Packer PushDo Trojan often comes along with a packer, which...
Blueliv-Releases-Q3-2015-Global-Cyber-Threat-Report
Blueliv Releases Q3 2015 Global Cyber Threat Report
  Between July and September 2015 Blueliv detected and analyzed 5.5 million stolen credentials and credit cards, 300,000 targeted malware samples, and 500,000 crime servers through its cyber threat intelligence platform. Now, we want to share the analysis of this data with you in our Blueliv Global Cyber Threat Report. THEFT...
Revisiting-the-latest-version-of-Andromeda-Gamarue-Malware1
Revisiting the latest version of Andromeda/Gamarue Malware
Andromeda Malware aka Gamarue Malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to its earlier avatars, it has gone through several changes from anti-analysis to a change in protocol format. Some excellent write-ups...
Dridex-reloaded
Dridex reloaded?
Dridex has been the scourge of banks regarding bank data and credential theft as well as fraud in the last 12 months. Cyber criminals have been improving the network following the special cases and problems they have faced depending on the financial institutions they have attacked. They have also...
Introduction-to-honeypots
Introduction to honeypots
As most of you already know, honeypots are hosts that act as a bait, exposing services on the internet in order to lure attackers. Below is a honeypots introduction. Using honeypots, security researchers can: Monitor the attackers’ activity on the internet. Discover possible vulnerable services being exploited by an...
Demo Free Trial Community Newsletter