Threat Exchange Network blog: May 2019

The Blueliv Threat Exchange Network is a global community of thousands of cybersecurity experts, IT professionals and academics. Each month members publish the latest news, threat data, IOCs and more in order to improve resilience and accelerate incident response. Members can create their own intelligence feed for free by exporting IOCs via our API and numerous SIEM plugins.

The fight against cybercrime is a collaborative effort. Here you’ll find some of the top posts from our Threat Exchange Network over the past month.

Join for free today – in addition to fresh intelligence, members also have access to our automated elastic sandbox and real-time cyberthreat map, including details on active crime servers.

Turla backdoor deployed across targets globally
A Turla backdoor targeted at Microsoft Exchange mail servers, controllable remotely via email attachments, was discovered by researchers last month. The Russian-backed cyber-espionage group (aka Waterbug, Snake, WhiteBear, VENOMOUS BEAR and Krypton) has targeted military, government, education, research and pharmaceutical institutions across more than 40 countries. [126 IOCs] Learn more >

ScarCruft continues to evolve with Bluetooth harvester
This actor often performs sophisticated attacks using a zero-day exploit, as in in Operation Daybreak. It then uses common malware delivery techniques such as spear phishing and Strategic Web Compromises (SWC). More recently it has been extensively testing a known public exploit during preparation for a campaign. Victims have been identified based on their telemetry and it appears that ScarCruft is primarily targeting intelligence for political and diplomatic purposes. [50 IOCs] Learn more >

Gootkit banking Trojan via fake parking penalty appeals
A fake page purporting to be the appeals page of UKPC has been discovered mimicking the original site. The page downloads a zip containing the banking Trojan Gootkit, which steals banking info from the victim’s computer. [21 IOCs] Learn more >

Lokibot distributed via NGROK proxy abuse
Threat actors have been abusing the NGROK service, developed to avoid filters that block domains and IP ranges. It acts essentially like a proxy between the server with the malware and the victim’s computer, effectively bypassing firewalls. This practice has been observed during a malspam campgin, where emails disguised as payment transfer confirmation deliver an xls file containing infostealer Lokibot. [19 IOCs] Learn more >

Trickbot delivered via Redirection URL in spam
A Trickbot variant uses Google to redirect from an URL to sidestep spam filters that initially block the Trojan. At first glance, the spam email could pass as legitimate, even adding social media icons for authenticity. The content details a package order along with seller contact information and other convincing information. [12 IOCs] Learn more >

Our community is growing daily – become a member for free and contribute to the network.

Dark Commerce

Exploring the cybercrime industry and its business models: part 1

Read free report
Demo Free Trial MSSP