Research

The latest contributions and threat intelligence analysis from Blueliv’s analyst team. Explore our reports and whitepapers, designed to help security teams of all sizes implement their value and improve their security posture.

Our top reads

Man-in-the-browser
How banks can protect customers from “Man in the browser attacks”
Criminal groups use a wide range of methods to compromise users and siphon its bank accounts, for this reason, when a user’s computer is infected by a malware, depending on its main goal and its capabilities, it could use multiple methods to obtain sensitive information, such as changing the...
Targeted-malware-detection
Targeted Malware Detection
Today’s cyber criminal wants one thing. He wants to get his malware into your IT network because once he’s in, he can go to work–remotely–achieving the myriad of other criminal activities he and his accomplices have in mind. Your best defense against targeted malware is to thwart the criminal...
leaked-data
Avoid the cost and headache of leaked data (here’s how)
“Leaked data falls into 4 types,” says Peter Gordon from SANS Institute: confidential information, intellectual property, customer data and health records. Data leakage, however, is not limited to deliberate efforts of cyber espionage. In fact, a surprising amount of it tends to be the result of human error–well into...
colors-of-cybersquatting
The many colors of cybersquatting – Do not underestimate them
Blueliv Guest Post | Jean-Jacques Dahan, Managing Director and Expert Consultant for Online Brand Security & Global Domain Strategy at Zeusmark. Cybersquatting is a constant challenge for a company. It is a broad concept involving many aspects of risk, speculation, and fraud. It should not be underestimated as it provides a...
ruthless-cybersquatters
Protect your business against ruthless cybersquatters
Also this week: Blueliv is pleased to announce a featured post on the subject of Cybersquatting from Jean-Jacques Dahan–Managing Director and Expert Consultant for Online Brand Security & Global Domain Strategy, Zeusmark. This article continues the discussion begun with the Phishing module article. Now, the focus will be on...
Petya-ransomware-2
Petya Ransomware cyber attack is spreading across the globe – Part 2
Following our first blog providing an early analysis about Petya, we are sharing further findings of the malware analysis that we have performed. We divided this post into the three areas we have briefly analyzed after the Petya attack: the propagation techniques of the malware, the encryption techniques used,...
Petya-ransomware-1
Petya Ransomware cyber attack is spreading across the globe – Part 1
As you might know, Petya Ransomware is currently devastating Airlines, Banks & Utilities and many other businesses across the globe. Denmark, France, Spain, Ukraine, and the USA are already impacted and many others might be too in the coming hours. So far, it seems that the sample is being...
phishing
Business threat intelligence | Win the fight against phishing attacks
Blueliv has one module that handles two of the main cyber threats targeted at businesses–Phishing and Cybersquatting. This module plugs into our threat monitoring Enterprise Platform Solution. For completeness, we’ll divide these threats into separate articles. First, it’s important to understand the inherent nature of these attacks. Criminals who...
MRTI-Feed
Cyber Threat Intelligence Feeds | Secure your network before an attack
Which malicious malware attack does your boss need you to block today? Blueliv Cyber Threat Intelligence Feeds provide security information that’s granular, industry specific and on time. Experts from respected think tanks like Gartner and RSA agree. Knowledge-based information and targeted action are having a profoundly positive effect on...
honeypots-wannacry
What our honeypots taught us about Wannacry ransomware
WannaCry has been on the lips, and especially in the concerns of everyone these last days. As we have addressed in recent posts, Friday, 12th May, marked the beginning of a massive global campaign to spread the WannaCry ransomware (a.k.a. WCry, WannaCrypt, WCrypt, WannaCrypt0r…). The ransomware spreads through a...
wannacrypt-analysis2
WannaCrypt Malware Analysis
Last Friday, 12th May, a worm targeting outdated Windows machines was detected. The worm in question used leaked NSA exploits to propagate and dropped a variant of a ransomware called WannaCrypt. This post will try to give you an insight into the infection process, as well as the spreading...
credit-card-theft1
The real cost of credit card theft and how to protect your assets
Sometime in mid-February 2017, anti-fraud teams from multiple financial institutions contacted KrebsOnSecurity for help tracing the source of a credit card fraud happening in high-end restaurants around the U.S. Investigations revealed a vast majority of patrons with compromised cards dined in locations run by Select Restaurants, Inc., a management...
botnets
Peeling back the layers surrounding zombie computer botnets
What is a Botnet? To understand a botnet, you first must begin with a bot. A bot is an automated malware program or roBOT that takes control of a computerized device. That single, infected computer, or connected device, joins a larger roBOT NETwork–or BOTNET. Once hijacked, these devices transform...
Deep-dive-into-the-dark-web
What is the Dark Web?
Deep dive into the Dark Web The Dark Web a part of the World Wide Web made up of a variety of anonymous networks, untraceable online activity and non-referenced URLs and domains. It is only through software that enables users to browse these networks anonymously. The most common network...
Mirai_code_2
Mirai: the people’s botnet
Mirai-botnet, the infamous IoT botnet, has struck again, and this time it almost took down an entire country; Liberia. Mirai botnet is a botnet that attempts to infect Internet of Things (IoT) devices to perform DDoS attacks, and was recently used to perform the largest DDoS attack ever which...
ransomware
Ransomware – an up-to-date overview
Overview The Blueliv Threat Intel Research Labs team has recently analyzed a large amount of ransomware samples to obtain a global overview on the status quo of this malware family. We’re sharing our conclusions here. Think before you pay We’ve found that in some cases, ransomware encrypts your data...
ransomware
From Barcelona to London: Blueliv at RANT! Risk and Network Threat forum
This week Blueliv sponsored its first RANT forum event at The Counting House in London to share the findings from the recent technical investigation into banking Trojan Vawtrak v2. Ramon Vicens, VP of Threat Intelligence Research Labs, talked through the analysis and was met with lively debate from the...
Vawtrak
Vawtrak v2: The next big banking Trojan
This month Blueliv Threat Intelligence Research Labs team has published an exclusive report revealing the most complete picture of Vawtrak v2 malware seen to date. Vawtrak is a serious threat to the finance sector and is predicted to be the next major banking Trojan. Chasing cybercrime: Network insights into...
Vawtrak
Vawtrak banking Trojan: a threat to the banking ecosystem
Today marks the start of c0c0n International Cyber Security and Policing Conference 2016 where our Labs Research expert, Raashid Bhat, will be sharing insight into the threats posed by the Vawtrak Trojan, one of the most prevalent banking Trojans around today. It promises to be an unmissable session based...
Ransomware chronology
Ransomware – How to defend yourself against it
What is Ransomware? Ransomware is a type of malware that has lately been increasingly in use by the cyber criminals. In order to profit from the distribution of Ransomware, the bad guys have been targeting numerous businesses and large organizations around the world. In essence, the Ransomware malware is...
Inside-Tinba-Infection-Stage-2
Inside Tinba Infection: Stage 2
This is a continuation of the first Tinba post, which is part of a series of posts on how Tinba gradually infects a system. Before we jump into analysis, let’s do a quick recap of the previous actions performed by Tinba and described in the STAGE 1 post: Prepares...
Cyber-Attacks-Targeting-SWIFT
Cyber Attacks Targeting SWIFT – Recap
SWIFT stands for Society for Worldwide Interbank Financial Telecommunication, and its purpose is to allow banks and financial institutions in general to communicate securely. It is used in the exchange of information between banks, such as transactions. In this post you will get a short summary of the incidents...
Inside-Tinba-DGA-Infection-Stage-1
Inside Tinba-DGA Infection: Stage 1
Tinba DGA is a bank trojan that was first discovered in 2012. It is mainly distributed through malware spam emails or malvertising. Although not a new threat, Tinba is still one of the used trojans by criminals to steal online banking sensitive information. There are a number of papers on how...
Malware-grabbers-and-their-behavior
Malware grabbers and their behavior
Malware is made to serve very different kinds of purposes, which depend on the objective of the authors. Nowadays, there is a very large number of samples that exist and it is common to classify them into different categories based on their behavior. This post provides an overview of...
Antihooking-techniques-used-by-Andromeda-aim-to-defeat-Cuckoo-like-sandboxes
Antihooking techniques used by Andromeda aim to defeat Cuckoo-like sandboxes
Some sandboxes, for example, Cuckoo Sandbox, implement a technique known as hooking. The hooking of functions allows the programmer, user or analyst to intercept calls, messages or events passed between a program and its libraries. This is very useful when analyzing malware because it allows the reverse engineer to view...
research-blog
Tracking the footprints of PushDo Trojan
PushDo Trojan is a downloader trojan responsible for downloading its spam counterpart and other malicious Trojans. Since its beginning, it has evolved into many different versions and in this blog post, we will make a deeper analysis of it. The Packer PushDo Trojan often comes along with a packer, which...
Blueliv-Releases-Q3-2015-Global-Cyber-Threat-Report
Blueliv Releases Q3 2015 Global Cyber Threat Report
  Between July and September 2015 Blueliv detected and analyzed 5.5 million stolen credentials and credit cards, 300,000 targeted malware samples, and 500,000 crime servers through its cyber threat intelligence platform. Now, we want to share the analysis of this data with you in our Blueliv Global Cyber Threat Report. THEFT...
Revisiting-the-latest-version-of-Andromeda-Gamarue-Malware1
Revisiting the latest version of Andromeda/Gamarue Malware
Andromeda Malware aka Gamarue Malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to its earlier avatars, it has gone through several changes from anti-analysis to a change in protocol format. Some excellent write-ups...
Dridex-reloaded
Dridex reloaded?
Dridex has been the scourge of banks regarding bank data and credential theft as well as fraud in the last 12 months. Cyber criminals have been improving the network following the special cases and problems they have faced depending on the financial institutions they have attacked. They have also...
Introduction-to-honeypots
Introduction to honeypots
As most of you already know, honeypots are hosts that act as a bait, exposing services on the internet in order to lure attackers. Below is a honeypots introduction. Using honeypots, security researchers can: Monitor the attackers’ activity on the internet. Discover possible vulnerable services being exploited by an...
Blueliv-Releases-Q2-2015-Global-Cyber-Threat-Report
Blueliv Releases Q2 2015 Global Cyber Threat Report
Through its cyber threat intelligence platform Blueliv detected and analyzed 5 million stolen credentials and credit cards, 200,000 targeted malware samples, and 500,000 crime servers between April and June 2015. THEFT OF CREDIT AND DEBIT CARD INFORMATION In the second quarter of 2015, the US has continued to be the...
research-blog
Blueliv discovers the Alina variant – Joker
Joker malware is a Point of Sale malware that was developed using, as a baseline, the Alina POS source code. After tracking it for some weeks, we’ve realized that behind the malware there is a dedicated effort towards developing and improving the sample. We have got our hands on...
Introduction-to-Android-Malware
Introduction to Android Malware
Hello everyone! As some of you already know, mobile threats are on the rise. Every day there are more and more mobile devices, which translates in more targets for the malware industry. But, as we always say, the best weapon against malware is knowledge. For this reason, we bring...
research-blog
Webinar. Chasing the Cyber Crime: network insights of Dyre and Dridex Trojan Bankers.
We would like to invite you to the Chasing the Cyber Crime: network insights of Dyre and Dridex Trojan Bankers webinar on the 8th of July.  As you may already know, in the current landscape of Trojan Bankers, Dyre and Dridex are the most nefarious ones due to the amount of infections...
research-blog
Introduction to Blueliv’s API, part1
Greetings everyone! Today we want to introduce you a little bit more to our API and show you all the amazing things you can do with the data. This post is the first of a series that we plan to write in order to make things easier for you...
research-blog
Performing automated Yara Q&A with Cuckoo
As it is well known, Cuckoo Sandbox is a malware analysis system which allows us to customize both processing and reporting stages. In this context, we can feed Cuckoo with Yara Rules based not only on the content of malware, but also on its behavior. One of the most prominent issues...
Blueliv-Releases-Q1-2015-Global-Cyber-Threat-Report
Blueliv Releases Q1 2015 Global Cyber Threat Report
  Blueliv reveals startling scale of cybercrime, pinpoints geolocations most affected Dyre and Dridex, the most nefarious banking Trojans Blueliv releases its Cyber Threat Report, revealing detailed figures on criminal online activity in the first quarter of 2015. Through its cyber threat intelligence platform between January and March 2015, Blueliv...
research-blog
Ciberamenazas emergentes. A qué nos enfrentamos y cómo lo combatimos
La revista de ciberseguridad SIC ha publicado en su número de abril el artículo escrito por Ramón Vicens, VP Threat Intelligence de Blueliv, y Víctor Acín, analista de Threat Intelligence de Blueliv, Ciberamenazas emergentes. A qué nos enfrentamos y cómo lo combatimos. En los últimos años las bandas del...
Blueliv-Releases-Q1-2015-Global-Cyber-Threat-Report
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers. (Report)
Trojan Bankers are a family of botnets that specialize in stealing information related to the financial sector and user data in order to sell it in underground marketplaces, some of them, also perform wire transfers using these credentials or by taking control of the infected computer. Due to the...
Main-PoS-infection-techniques
Main PoS infection techniques and how to avoid them
Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them or even burn credit card track information into...
research-blog
The Equation Group: a new degree of sophistication in APT attacks
The Equation Group, what do we know so far? The topic of APT’s and state sponsored espionage has been back the news over the last few weeks. Based in the excellent and in-depth report of Kaspersky Labs “Equation Group: Questions and answers“, it seems that the level of sophistication...
research-blog
Blueliv Cyber Threat Intelligence Report. Q3 2014
Here you are the main conclusions of the just analyzed cyber threats that have been apparent on a global level during the third quarter of 2014, comparing them with the second quarter of the year. Once again, the main point is that cyber threats continue to be increasingly more frequent...
research-blog
Measuring the impact of Shellshock in the threat intelligence landscape
Once high profile vulnerability is released to the public, there are a lot of people who will use the opportunity to take advantage on vulnerable machines, even if it is manually or widely exploited using pieces of malware. A clear example is the evolution of Mayhem to take advantage of...
research-blog
Defining the key elements of a cybersecurity strategy
There is not a day that goes by without some startling revelation about a new threat from emerging from the world of Cyber-Crime. Over the last few months there has been a spate of attacks on online platforms, organisations and even point of sale devices. Attacks seem to be...
research-blog
The week of Russian leaks
This week some important leaks have arisen in on the Internet, all of them related to Russian users: 1.000.000 Yandex addressess and passwords. 4.500.000 Mail.ru addressess and passwords. 5.000.000 GMail addressess, some of them with passwords. All this data was posted in a Russian Bitcoin Forum by a user...
research-blog
Cyber Threats keep growing. Blueliv’s Cyber Threat Intelligence Report.
Here you are the main conclusions of the just analyzed Cyber Threats which have been apparent on a global level during the second quarter of 2014, comparing them with the first quarter of the year. The main point is that Cyber Threats continue to be increasingly more frequent and...
research-blog
My Little Pony
One year ago our colleague Xylit0l wrote about the Pony stealer malware. It’s been a year and the Pony family has grown! Two malwares, at least, have been found in the wild with some parts of Pony included in them. This is the case of Jolly Roger which is...
research-blog
Origin of the infections and attacks during the first quarter of 2014
Blueliv has analyzed the main Cyber Threats which have been apparent on a global level during the first quarter of 2014, and in this post we are going to show their origin. MALICIOUS URL GEOLOCALIZATION Some 46% of the malicious URLs analyzed were geolocalized in the United States, while...
research-blog
Behind Point of Sale (PoS) attacks
In this previous article we showed how cybercriminals were trying to infect PoS devices with Dexter malware through pcAnywhere service, port 5631. Now, what we want is to analyze the geolocation of more than a million IPs affected by this attack that appear in the following picture. If we...
research-blog
AppCloud and the uprising SaaS Android trojan malware
Some weeks ago Intelcrawler informed of a large fraud campaign against major Islamic banking institutions and one from Spain.   The malicious code infected the mobile devices of banking customers, intercepted the OTP («One-Time-Password») token code and immediately sent it to the bad actors. The unique side of the...
research-blog
First million credit cards details released
1 million credit cards details over a set of 800 million was released on Pastebin early this week. Almost 1 million cards were allegedly leaked by Anonymous Ukraine on Pastebin early this week from a set of more than 800 million credit cards that has not been released yet....
research-blog
Uncovering the new modus operandi behind POS infections
In the Cyber Fraud world there are numerous ways of doing business. One of the most well-known fraud activities that has been alive for years is the credit card theft. Like any other business it has evolved and improved its different techniques in order to survive and to maximize...
research-blog
mount.cifs arbitary file identification 0day
Durante el wargame de la rootedcon 2012, además de participar, me dediqué a revisar un poco los sistemas. Puesto que no tenía disponible el /proc/kallsyms, hacer ataques al kernel, supondría ir a ciegas, bruteforcear símbolos … , incluso posiblemente crashear el kernel. De manera que me enfoqué sobretodo a...
research-blog
Proxy multi-protocolo sha0proxy v2
Normalmente el desarollo de exploits requiere más tiempo del que uno tiene, de manera que hay que ingeniarse técnicas y herramientas que faciliten el trabajo. Personalmente, antes que parchear una aplicación cliente, o utilizar las apis de ciertos protocolos, prefiero capturar el tráfico y enviar las cabeceras a bajo...
research-blog
Respuesta a Incidentes: Analizando un mailer desde la memoria
Es especialmente crítico que al detectar un incidente, como puede ser la infección por malware de cualquier equipo de una red interna, inmortalizar la “escena del crimen” con la máxima información posible acerca del estado de los equipos infectados. En este caso, particularizaremos sobre lo importante que puede ser...
Demo Free Trial MSSP
Program