Tag selected: Malware
research-blog
Where is Emotet? Latest geolocation data
Emotet is an old malware threat that continues to affect many users and companies around the world. Once a machine has been infected, a number of things can happen—but typically, new malware is deployed and credentials are stolen. Emotet’s business model is based on distribution groups – the stolen...
Selling FormBook
Our home city Barcelona hosted BSides last week, where the information security community across Europe gathered discuss the current security landscape. Members of our Labs team were invited to present research into FormBook, one of the most notorious info-stealers and form-grabbers in recent years. The fight against cybercrime is...
Overview and thoughts about Shamoon3 toolkit
Introduction On August 15, 2012, a computer attack left “out of the box” about 30,000 Windows systems of the Saudi Aramco oil company. The incident had a significant impact on businesses processes and production at the company, which took weeks to return to normal activity. The malware deployed in...
Sales of AZORult grind to an AZOR-halt
Author of Popular Credential Stealer Announces End of Sales Key Points In late December, the author of the AZORult stealer publicly stated that he would be ending sales of the malware. AZORult has been advertised on Russian-language cybercrime forums since at least 2016 and has become fairly popular among...
European credential theft industry booming as US market sees decline
39% increase in compromised credentials detected in Europe and Russia in 2018 Europe-only credential theft success at 62% growth rate Europe and Russia home to half of credential theft victims worldwide (49%) LokiPWS malware family distribution increases over 300% since start of 2017 Today we announced our new report...
research-blog
Making the headlines: Bad Rabbit and Reaper malware
Though we process thousands of malware samples per day, very few of them attract the attention of the mainstream media in the way that Bad Rabbit and Reaper have recently. Here’s a quick overview, their potential impact on business and some suggested mitigation techniques to help you and your...
research-blog
TrickBot banking trojan using EFLAGS as an anti-hook technique
In one of our analysis of the TrickBot banking trojan, we found an interesting anti-sandbox that catches (almost) all user-mode (ring3) sandboxes, and we would like to share it with you. hash: 2ebeef906142f328168e7e62e8be7fbaee48e3521853d76ea778005ada6e938a The sample does something like this: lea eax, ; 1. prepare buffer for GetSystemTime push...
Avoid-being-the-next-Equifax
Data Breach | Avoid being the next Equifax
Image Courtesy CNN Money On 29 July 2017, Equifax, one of the big-three credit reporting companies, announced the discovery of a data breach exposing an estimated 143M Americans. Unauthorized access took place between mid-May through July 2017. One source has called this a category-5 event.   Details of the...
Targeted-malware-detection
Targeted Malware Detection
Today’s cyber criminal wants one thing. He wants to get his malware into your IT network because once he’s in, he can go to work–remotely–achieving the myriad of other criminal activities he and his accomplices have in mind. Your best defense against targeted malware is to thwart the criminal...
Petya-ransomware-2
Petya Ransomware cyber attack is spreading across the globe – Part 2
Following our first blog providing an early analysis about Petya, we are sharing further findings of the malware analysis that we have performed. We divided this post into the three areas we have briefly analyzed after the Petya attack: the propagation techniques of the malware, the encryption techniques used,...
honeypots-wannacry
What our honeypots taught us about Wannacry ransomware
WannaCry has been on the lips, and especially in the concerns of everyone these last days. As we have addressed in recent posts, Friday, 12th May, marked the beginning of a massive global campaign to spread the WannaCry ransomware (a.k.a. WCry, WannaCrypt, WCrypt, WannaCrypt0r…). The ransomware spreads through a...
wannacrypt-analysis2
WannaCrypt Malware Analysis
Last Friday, 12th May, a worm targeting outdated Windows machines was detected. The worm in question used leaked NSA exploits to propagate and dropped a variant of a ransomware called WannaCrypt. This post will try to give you an insight into the infection process, as well as the spreading...
wannacry
Wannacry Ransomware used to spread global cyber attacks
A global ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning. Companies in more than 70 countries have reported incidents as of Friday afternoon. Computers all over the world are being locked down by a ransomware called Wannacry/Wanna/Wcry. The British government...
wannacry2
El ransomware ataca contundentemente el IBEX-35
Este viernes ha saltado la noticia de que el ransomware “WannaCry” se ha colado en los sistemas informáticos de algunas de las empresas del IBEX-35 aprovechando una vulnerabilidad de los sistemas Windows. El Gobierno británico por su parte, ha anunciado que un ataque mediante virus bitcoin ha afectado a...
corporate-blueliv
Why Vawtrak v2 could be the next major banking Trojan
Neira Jones, Non-Executive Director Cognosec, Partner Global Cyber Alliance and industry influencer shares her thoughts on the evolution of banking Trojans and digital transformation in the finance sector in our new white paper. Think more like a criminal… This came to my attention through the excellent report published by cyber...
computer-security-day-2016
Computer Security Day 2016: Make a date with our malware sandbox
Today marks Computer Security Day 2016. Our responsibility to ensure the security of our networks and connected devices is ‘always on’ in an age when we are heavily dependent on being online just to function normally. But, it’s always good to pause and remind ourselves about how important it...
corporate-blueliv
Blueliv Invites Soltra Edge Users to Join Free Intelligence Sharing Platform
Blueliv Threat Exchange Network reassured by recent acquisition of Soltra Edge in continued effort to encourage collaboration and intelligence sharing in cyber security industry. BARCELONA, Spain – Nov. 28, 2016 – PRLog — Blueliv, a leading provider of cyber threat intelligence, today broadcast the availability of the Blueliv Threat Exchange Network, a free intelligence...
ransomware
Ransomware – an up-to-date overview
Overview The Blueliv Threat Intel Research Labs team has recently analyzed a large amount of ransomware samples to obtain a global overview on the status quo of this malware family. We’re sharing our conclusions here. Think before you pay We’ve found that in some cases, ransomware encrypts your data...
ransomware
From Barcelona to London: Blueliv at RANT! Risk and Network Threat forum
This week Blueliv sponsored its first RANT forum event at The Counting House in London to share the findings from the recent technical investigation into banking Trojan Vawtrak v2. Ramon Vicens, VP of Threat Intelligence Research Labs, talked through the analysis and was met with lively debate from the...
Vawtrak
Vawtrak v2: The next big banking Trojan
This month Blueliv Threat Intelligence Research Labs team has published an exclusive report revealing the most complete picture of Vawtrak v2 malware seen to date. Vawtrak is a serious threat to the finance sector and is predicted to be the next major banking Trojan. Chasing cybercrime: Network insights into...
Vawtrak
Vawtrak banking Trojan: a threat to the banking ecosystem
Today marks the start of c0c0n International Cyber Security and Policing Conference 2016 where our Labs Research expert, Raashid Bhat, will be sharing insight into the threats posed by the Vawtrak Trojan, one of the most prevalent banking Trojans around today. It promises to be an unmissable session based...
Ransomware chronology
Ransomware – How to defend yourself against it
What is Ransomware? Ransomware is a type of malware that has lately been increasingly in use by the cyber criminals. In order to profit from the distribution of Ransomware, the bad guys have been targeting numerous businesses and large organizations around the world. In essence, the Ransomware malware is...
Inside-Tinba-Infection-Stage-2
Inside Tinba Infection: Stage 2
This is a continuation of the first Tinba post, which is part of a series of posts on how Tinba gradually infects a system. Before we jump into analysis, let’s do a quick recap of the previous actions performed by Tinba and described in the STAGE 1 post: Prepares...
Cyber-Attacks-Targeting-SWIFT
Cyber Attacks Targeting SWIFT – Recap
SWIFT stands for Society for Worldwide Interbank Financial Telecommunication, and its purpose is to allow banks and financial institutions in general to communicate securely. It is used in the exchange of information between banks, such as transactions. In this post you will get a short summary of the incidents...
Inside-Tinba-DGA-Infection-Stage-1
Inside Tinba-DGA Infection: Stage 1
Tinba DGA is a bank trojan that was first discovered in 2012. It is mainly distributed through malware spam emails or malvertising. Although not a new threat, Tinba is still one of the used trojans by criminals to steal online banking sensitive information. There are a number of papers on how...
Malware-grabbers-and-their-behavior
Malware grabbers and their behavior
Malware is made to serve very different kinds of purposes, which depend on the objective of the authors. Nowadays, there is a very large number of samples that exist and it is common to classify them into different categories based on their behavior. This post provides an overview of...
Antihooking-techniques-used-by-Andromeda-aim-to-defeat-Cuckoo-like-sandboxes
Antihooking techniques used by Andromeda aim to defeat Cuckoo-like sandboxes
Some sandboxes, for example, Cuckoo Sandbox, implement a technique known as hooking. The hooking of functions allows the programmer, user or analyst to intercept calls, messages or events passed between a program and its libraries. This is very useful when analyzing malware because it allows the reverse engineer to view...
corporate-blueliv
Video: Get started using our malware analysis sandbox today
A couple of weeks ago we launched a new community feature, our online malware analysis sandbox and now, it’s time to show you how it works and the varied functionalities it offers to our community users. At Blueliv we are focused on trying to make cyber intelligence available for...
research-blog
Tracking the footprints of PushDo Trojan
PushDo Trojan is a downloader trojan responsible for downloading its spam counterpart and other malicious Trojans. Since its beginning, it has evolved into many different versions and in this blog post, we will make a deeper analysis of it. The Packer PushDo Trojan often comes along with a packer, which...
Revisiting-the-latest-version-of-Andromeda-Gamarue-Malware1
Revisiting the latest version of Andromeda/Gamarue Malware
Andromeda Malware aka Gamarue Malware has been prevalent since it came into limelight a couple of years ago. Also, the author keeps it well updated ever since. With respect to its earlier avatars, it has gone through several changes from anti-analysis to a change in protocol format. Some excellent write-ups...
Dridex-reloaded
Dridex reloaded?
Dridex has been the scourge of banks regarding bank data and credential theft as well as fraud in the last 12 months. Cyber criminals have been improving the network following the special cases and problems they have faced depending on the financial institutions they have attacked. They have also...
research-blog
Blueliv discovers the Alina variant – Joker
Joker malware is a Point of Sale malware that was developed using, as a baseline, the Alina POS source code. After tracking it for some weeks, we’ve realized that behind the malware there is a dedicated effort towards developing and improving the sample. We have got our hands on...
Introduction-to-Android-Malware
Introduction to Android Malware
Hello everyone! As some of you already know, mobile threats are on the rise. Every day there are more and more mobile devices, which translates in more targets for the malware industry. But, as we always say, the best weapon against malware is knowledge. For this reason, we bring...
research-blog
Performing automated Yara Q&A with Cuckoo
As it is well known, Cuckoo Sandbox is a malware analysis system which allows us to customize both processing and reporting stages. In this context, we can feed Cuckoo with Yara Rules based not only on the content of malware, but also on its behavior. One of the most prominent issues...
Blueliv-Releases-Q1-2015-Global-Cyber-Threat-Report
Chasing cybercrime: network insights of Dyre and Dridex Trojan bankers. (Report)
Trojan Bankers are a family of botnets that specialize in stealing information related to the financial sector and user data in order to sell it in underground marketplaces, some of them, also perform wire transfers using these credentials or by taking control of the infected computer. Due to the...
Main-PoS-infection-techniques
Main PoS infection techniques and how to avoid them
Stealing payment card data has become an everyday crime that yields quick monetary gains. The goal is to steal the data stored on the magnetic stripe of payment cards, clone the cards, and run charges on the accounts associated with them or even burn credit card track information into...
industry-blog
How to avoid a Dridex infection?
In the recent days we have been seeing a lot of commotion around the botnet Dridex. This improved version of Dridex is proliferating thanks to an effective phishing campaign. Taking advantage of the proximity of the annual tax declaration, the organization behind this botnet is sending emails to unsuspecting...
corporate-blueliv
VirusTotal’s Alliance with Blueliv Helps the Community to Improve Cyber Threat Protection
VirusTotal has now entered into an alliance with Blueliv that will allow both companies share cyber intelligence knowledge to protect their users and clients against new cyber threats. VirusTotal is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected...
research-blog
My Little Pony
One year ago our colleague Xylit0l wrote about the Pony stealer malware. It’s been a year and the Pony family has grown! Two malwares, at least, have been found in the wild with some parts of Pony included in them. This is the case of Jolly Roger which is...
corporate-blueliv
How does Blueliv work?
Do you want to find out how our technology Blueliv works?   We’re going to explain you, step by step, how we hunt the Cyber Crime with Blueliv Cyber Threat Intelligence. The process starts with the analysis of different malware samples gathered from the Internet so, what happens then?...
research-blog
AppCloud and the uprising SaaS Android trojan malware
Some weeks ago Intelcrawler informed of a large fraud campaign against major Islamic banking institutions and one from Spain.   The malicious code infected the mobile devices of banking customers, intercepted the OTP («One-Time-Password») token code and immediately sent it to the bad actors. The unique side of the...
research-blog
Respuesta a Incidentes: Analizando un mailer desde la memoria
Es especialmente crítico que al detectar un incidente, como puede ser la infección por malware de cualquier equipo de una red interna, inmortalizar la “escena del crimen” con la máxima información posible acerca del estado de los equipos infectados. En este caso, particularizaremos sobre lo importante que puede ser...
research-blog
Análisis Forense de una Infección – PARTE III
Tal y como comentamos en el post anterior, en el escrito de hoy vamos a realizar un análisis dinámico del malware. Concretamente, hemos tomado el ejecutable A0029519.exe situado en: System Volume Information_restore{2D9E3322-AD12-427C-8050-DC9B1714968D}RP126 con tamaño 42579 bytes y  hash sha1 2566f4de9d1f789314c0e67fcdc4f2d4778308d. Una vez ya tenemos el especimen a analizar, hemos...
research-blog
Análisis Forense de una Infección por Malware – PARTE II
Retomando el tema de análisis de malware que introducimos en el post anterior “Análisis Forense de una Infección por Malware – PARTE I“, ahora nos centraremos más en analizar los artefactos de Windows para así obtener más información de las modificaciones efectuadas por especimen en la infección del equipo...
research-blog
Análisis Forense de una Infección por Malware – PARTE I
Incluso en el periodo estival cuando las personas normales tienen vacaciones, surgen incidentes de seguridad. Este es el caso de un conocido, quien muy amablemente ha prestado su ordenador para someterlo a una adquisición y posterior análisis, para investigar un posible comportamiento algo extraño por el cual se manifestaban...
research-blog
Solución al reto forense #5 de Sans
El día 1 de Abril, Sans organizó un nuevo concurso forense desde la página http://forensicscontest.com/2010/04/01/ms-moneymanys-mysterious-malware. El concurso consiste en responder una serie de cuestiones que se nos plantean desde la organización, ofreciendo una captura de red como evidencia. Al final, después del plazo estipulado, el ganador se lleva un...
research-blog
Desenmascarando una botnet mediante el uso de criptoanálisis
En los últimos tiempos estamos asistiendo a un auge significativo de botnets, puestas a la disposición de actividades fraudulentas, como pueda ser el robo masivo tanto de credenciales de banca online como de tarjetas de crédito. Dada la rentabilidad, derivada de las actividades maliciosas, facilitada por una botnet, las...
Demo Free Trial Community