Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   September 10th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New CDRThief malware targets VoIP Linux softswitches to steal metadata

Analysis of the malware revealed that it was specifically created for a particular Linux VoIP platform, namely Linknat VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines. CDRThief’s purpose is to compromise VOS2009/3000 softswitches and steal call metadata from internal MySQL databases, such as IP addresses of the callers, phone numbers, start time and duration of the call, its route, and type. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   September 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Malware gang uses .NET library to generate Excel docs that bypass security checks

A newly discovered malware gang is using a clever trick to create malicious Excel files that have low detection rates and a higher chance of evading security systems. This malware gang, named Epic Manchego, has been active since June, targeting companies all over the world with phishing emails that carry a malicious Excel document. But these are not your standard Excel spreadsheets. The malicious Excel files have been bypassing security scanners with low detection rates. The malicious Excel files appear to be compiled with EPPlus into a Office Open XML (OOXML) format. This way, the files lack a specific portion of VBA code that some antivirus and email scanners look for in order to find signs of malware. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   August 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Maldoc malware campaign delivering the QakBot/QBot banking trojan through zipping Word documents

This particular campaign features a ZIP file; within the ZIP attachment is a Word document that includes macros within the document. These macros execute a PowerShell script that then downloads the Qakbot payload from specific URLs. This particular campaign also includes two new techniques: a bypass of the content disarm and reconstruction (CDR) technology through zipping the Word document, and a bypass of child-pattern pattern detection because Visual Basic is executed using Explorer. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 20th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Discovered North Korean BLINDINGCAN RAT malware

"CISA received four Microsoft Word Open Extensible Markup Language (XML) documents (.docx), two Dynamic-Link Libraries (DLLs)," the alert reads. "The .docx files attempt to connect to external domains for a download. A 32-bit and a 64-bit DLL was submitted that install a 32-bit and a 64-bit DLL named 'iconcache.db' respectively. The DLL 'iconcache.db' unpacks and executes a variant of Hidden Cobra RAT". Based on CISA and FBI malware analysis results, the BLINDINGCAN malware can also remove itself from compromised systems and clean its traces to avoid detection among other capabilities Learn more >

Linux systems are targeted by Lucifer cryptomining DDoS malware

When it was first spotted in May, the malware was deploying an XMRig miner on Windows computers infected using weaponized exploits targeting high and critical severity vulnerabilities or by brute-forcing machines with TCP ports 135 (RPC) and 1433 (MSSQL) open. The new Linux version comes with capabilities similar to the Windows counterpart, including modules designed for cryptojacking and for launching TCP, UCP, and ICMP-based flooding attacks. Additionally, Lucifer-infected Linux devices can also be used in HTTP-based DDoS attacks (including HTTP GET- and POST-floods, and HTTP ‘CC’ DDoS attacks). Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   August 19th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

FritzFrog P2P botnet malware attacks SSH servers worldwide to mine Monero

The attack has already managed to infiltrate over 500 servers in the U.S. and Europe, of universities and a railway company. The advanced nature of FritzFrog lies in its proprietary and fileless P2P implementation written from scratch. The malware assembles and executes the malicious payload entirely in-memory, making it volatile. Moreover, its custom P2P implementation means, there is no single Command & Control (C&C) server sending instructions to FritzFrog. It's decentralized and self-sufficient. Despite the aggressive brute-force tactics employed by FritzFrog to breach SSH servers, it is strangely efficient by targeting a network evenly. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   August 17th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

PurpleWave – A New Infostealer from Russia

A new Infostealer malware called PurpleWave was found being advertised and sold on Russian cyber-crime forums for $68 US. An Infostealer is a type of malware that gathers information from the infected system and is able to install more malware once inside it. Purplewave is capable of stealing cookies, passwords and credit cards. It also can steal files, take screenshots and install additional malware. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   August 6th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Microsoft Teams Updater abused to install malware

During the last year, several variants of malware recovery and remote execution were discovered from Microsoft Teams. They all start from the possibility of updating the client from a remote URL. To fix this, Microsoft released a patch that only allows local networks to access and update the Teams package. Based on this restriction, the attackers are taking advantage of Teams as a LoLBin, by placing the malicious file on the network and accessing the load from the victim's computer. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   August 4th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Discovered Taidoor RAT malware linked to China

"The first file is a loader, which is started as a service. The loader decrypts the second file, and executes it in memory, which is the main Remote Access Trojan (RAT)." The Taidoor RAT is then used to allow Chinese hackers to access infected systems and exfiltrate data or deploy other malware -- the usual things for which remote access trojans are typically employed. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

MATA malware used by Lazarus hackers to steal data

During their attacks, the hackers can use MATA to load several plugins into the infected system's memory running commands, manipulating files and processes, injecting DLLs, creating HTTP proxies and tunnels on Windows devices. MATA plugins also allow the hackers to scan for new targets on macOS and Linux-based machines (routers, firewalls, or IoT devices). Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 21st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Latest Golden Chickens MaaS Tools Updates and Observed Attacks

Four new different attacks have been observed using malware as a service from the Golden Chickens portfolio throughout March and April that are now being declassified. The analysis concludes that the MaaS Operator Badbullzvenom is responsible for the creation and updates of some GC tools. Learn more >

Windows machines infected again by Emotet-TrickBot malware

After over five months of inactivity, the Emotet Trojan woke up and started massive spam campaigns pretending to be payment reports, invoices, shipping information, and employment opportunities. These spam emails contain malicious documents that will install the Emotet trojan on the recipient's computer when opened and macros enabled. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 15th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New on the scene: Darkvision RAT

This new RAT, although new, offers a wide range of plug-ins and extra functionalities like keylogging, webcam and mic live capture, screen captures, reverse proxy, etc. All this functionalities are loaded separately in individual .dll files that are selectively delivered to the infected machine without the need to write them to disk. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 14th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New ServHelper campaign installing a loud CryptoMiner

A backdoor named ServHelper, associated with TA505 has been detected installing CryptoMiners in compromised systems since at least January 2020. This miner hides itself in the system using a virtualized environment. When the unsuspecting victim executes the installer, ServHelper will first check if it's running on a virtualized environment to avoid being analyzed and if the current user has admin privileges or the windows version 10 is < 10147 so it escalate privilege using DLL hijacking.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 9th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

APT group behind the Evilnum malware seen in fintech attacks analysed

Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component, while displaying a decoy document. These shortcut files have “double extensions” to try to trick the user into opening them, thinking they are benign documents or pictures (in Windows, file extensions for known file types are hidden by default). Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Mozilla has temporarily suspended the Firefox Send file-sharing service while it adds a Report Abuse mechanism

While Mozilla launched Firefox Send with the privacy and security of its users in mind, since late 2019, Firefox Send has seen broader adoption in the malware community. In most cases, the use is usually the same. Malware authors upload malware payloads on Firefox Send, the file is stored in an encrypted format, and then hackers share the links inside emails they send to their targets. Over the past few months, Firefox Send has been used to store payloads for all sorts of cybercrime operations, from ransomware to financial crime, and from banking trojans to spyware used to target human rights defenders. Learn more >

New and improved version of Lampio trojan spreading in Portugal

The recent wave has been noted in Portugal and is impacting clients of several Portuguese and Brazilian banking organizations, and also some cryptocurrency platforms. This new version includes changes in its VBS downloader, Anti-VM techniques, and the way it communicates with its C2 server, geolocated in Russia. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 1st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

FakeSpy Masquerades as Postal Service Apps Around the World

A new campaign is up and running using newly improved, significantly more powerful malware as compared to previous versions. FakeSpy is under active development and is evolving rapidly; new versions are released every week with additional evasion techniques and capabilities. The analysis shows that the threat actor behind the FakeSpy malware is a Chinese-speaking group, commonly referred to as "Roaming Mantis". Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   June 30th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Glupteba: Hidden Malware Delivery in Plain Sight

About a month ago, researchers noticed a spike in the number of samples belonging to the same malware campaign, most of them with the filename app.exe. This malware, which turned out to belong to a family called Glupteba, spreads using EternalBlue, and downloads additional payloads. Glupteba malware does something novel: It uses the bitcoin blockchain as a communications channel to receive updated configuration information. Learn more >

US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

Eight cities across three states in the United States have fallen victim to a Magecart card skimming attack. In these attacks, their websites were compromised to host credit card skimmers that passed on the credit card information of residents to cybercriminals. These sites all appear to have built using Click2Gov, a web-based platform meant for use by local governments. Learn more >

Bundlore (macOS) mm-install-macos

The mm-install-macos variant of the Bundlore family of macOS adware has been around for many years in many variations and delivery methods. Recently, an alternative with a novel installation method was discovered. Although most of the installation details were the same or similar to the other samples analyzed, these new samples modified the sudoers file on the infected system to remove the password requirement for privilege escalation. The malware also utilizes a form of obfuscation not observed before in this family, hiding compressed data in a resource fork on a downloaded script file. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   June 29th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Chinese malware used in attacks against Australian orgs

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country. Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China. The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   June 26th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Chinese bank forced western companies to install malware-laced tax software

A Chinese bank has forced at least two western companies to install malware-laced tax software on their systems, cyber-security firm Trustwave said in a report published today. The two companies are a UK-based technology/software vendor and a major financial institution, both of which had recently opened offices in China. Trustwave, who was providing cyber-security services for the UK software vendor, said it identified the malware after observing suspicious network requests originating its customer's network.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   June 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers

Researchers from TrendMicro have recently detected variants of two existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware. Having Docker servers as their target is a new development for both XORDDoS and Kaiji; XORDDoS is known for targeting Linux hosts on cloud systems, while recently discovered Kaiji first reported affecting internet of things (IoT) devices. Attackers usually used botnets to perform brute-force attacks after scanning for open Secure Shell (SSH) and Telnet ports. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   June 22nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Discord modified to steal accounts by new NitroHack malware

New malware is being distributed that pretends to be a hack that gets you the premium Discord Nitro service for free but instead steals user tokens saved in the various browsers, credit card information, and then tries to spread it to others. When you have an open platform like Discord that makes it easy to modify the JavaScript files utilized by the client, threat actors commonly abuse it to modify the client to perform malicious behavior.   Learn more >