Collaborate Disseminate
Introduction In this post we will discuss how to employ API hooking, a technique mostly used for binary targets, to deobfuscate malicious scripts. We will use the Frida framework to extract some key information for the analyst, such as the lists of C2 … Continue reading Leveraging API Hooking for code deobfuscation with Frida
Introduction As you may already be aware, a user recently made available a compilation of passwords dubbed ROCKYOU2021 on an underground forum and has since then shared on multiple sites. At Blueliv, we have already seen a few misconceptions regarding … Continue reading Dispelling ROCKYOU2021
Table of contents Introduction Threat Actor Packer Taurus Stealer (Unpacked) C2 Communication Stealer / Grabber C2 Exfiltration Yara MITRE ATT&CK Conclusion IOCs Introduction Taurus Stealer, also known as Taurus or Taurus Project, is a C/C++ info… Continue reading An In-Depth analysis of the new Taurus Stealer
Introduction Last Tuesday, Feb. 23, 2021, VMWare disclosed two vulnerabilities affecting vCenter Server and Cloud Foundation. Before the publication of the vulnerabilities, the company published a workaround to protect the servers that are meant to be … Continue reading Attackers collaborate to exploit CVE-2021-21972 and CVE-2021-21973
(life after Joker’s Stash) Table of Contents Introduction Active credit card shops FERum Shop Brian’s Club Thefreshstuffs Missing Credit Card Shops ValidCC VaultMarket Rescator Conclusions Introduction On February 15, 2021, after nearly 6.5 year… Continue reading State of Underground Card Shops in 2021
Early this week a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor. The site, using the domain solarleaks.net, displays only a pgp signed message, in wh… Continue reading SolarWinds aftermath continues with SolarLeaks
Table of Contents Introduction TA505 Packer Qiling Framework Proof of Concept IOC Conclusion References Introduction Threat Actors make use of packers when distributing their malware as they remain an effective way to evade detection and to make t… Continue reading Using Qiling Framework to Unpack TA505 packed samples
Key Points Remote Desktop Protocol (RDP) is a built-in part of the Windows toolkit popular for facilitating remote work. Cybercriminals take interest in compromising RDP endpoints as they provide direct access into a victim environment via a graphic… Continue reading RDPalooza: RDPs in the World of Cybercrime
Key Points The information-stealing malware dubbed M00nD3v Logger was recently auctioned off on Hack Forums, together with HakwEye Reborn. The threat actor – operating under the alias “M00nD3v” – states that they so… Continue reading M00nD3v, HawkEye threat actor, sells malware after COVID-19 diagnosis
Key Points The most relevant hacktivist operations in the last 12 months were: #OpIceIsis, #OpChile, #OpChildSafety, #OpKillingBay and #OpBeast. The operation #OpGeorgeFloyd, born after George Floyd was killed by police in Minneapolis in May 2020… Continue reading Analysis of the Top10 Hacktivist Operations