Blueliv Labs, Author at Security Boulevard
Insights about All World Cards and the published 1M credit cards

Insights about All World Cards and the published 1M credit cards

Table of Contents Introduction Marketing campaign: 1 million credit cards published Analysis of the published credit cards Where were these cards stolen? When were these cards stolen? Geographical distribution of the victims Underground reactions Threat Actors behind All World Cards Conclusions   Introduction “All World Cards” is a new underground ... Read More
Leveraging API Hooking for code deobfuscation with Frida

Leveraging API Hooking for code deobfuscation with Frida

Introduction In this post we will discuss how to employ API hooking, a technique mostly used for binary targets, to deobfuscate malicious scripts. We will use the Frida framework to extract some key information for the analyst, such as the lists of C2 servers within the scripts, in some cases ... Read More
Use of Initial Access Brokers by Ransomware Groups

Use of Initial Access Brokers by Ransomware Groups

Initial Access Brokers (IABs) are financially motivated threat actors that profit through the sale of remote access to corporate networks in underground forums, like Exploit, XSS, or Raidforums. The type of accesses offered are mostly Remote Desktop Protocol (RDP), Virtual Private Network (VPN), web shells, and remote access software tools offered ... Read More

Dispelling ROCKYOU2021

Introduction As you may already be aware, a user recently made available a compilation of passwords dubbed ROCKYOU2021 on an underground forum and has since then shared on multiple sites. At Blueliv, we have already seen a few misconceptions regarding this compilation, from news outlets and regular users alike. During ... Read More
Figure 1. Taurus Seller post in underground forums selling Taurus Stealer

An In-Depth analysis of the new Taurus Stealer

Table of contents Introduction Threat Actor Packer Taurus Stealer (Unpacked) C2 Communication Stealer / Grabber C2 Exfiltration Yara MITRE ATT&CK Conclusion IOCs  Introduction  Taurus Stealer, also known as Taurus or Taurus Project, is a C/C++ information stealing malware that has been in the wild since April 2020. The initial attack ... Read More
FAST FLUX

FAST FLUX

Fast Flux is a technique that was seen for the first time in 2007 – and that is still used today -which allows attackers to resist dismantling, the ability to hide the true command and control servers, phishing sites, malware or clandestine markets, and take on possible countermeasures and censorship ... Read More
Attackers collaborate to exploit CVE-2021-21972 and CVE-2021-21973

Attackers collaborate to exploit CVE-2021-21972 and CVE-2021-21973

| | Blog, research
Introduction Last Tuesday, Feb. 23, 2021, VMWare disclosed two vulnerabilities affecting vCenter Server and Cloud Foundation. Before the publication of the vulnerabilities, the company published a workaround to protect the servers that are meant to be a temporary solution until updates with the security patch can be deployed. This was ... Read More
Ferum shop screenshot

State of Underground Card Shops in 2021

(life after Joker’s Stash)   Table of Contents Introduction Active credit card shops FERum Shop Brian’s Club Thefreshstuffs Missing Credit Card Shops ValidCC VaultMarket Rescator Conclusions   Introduction    On February 15, 2021, after nearly 6.5 years in business, the prolific card shop Joker’s Stash closed its doors. Those behind the ... Read More

SolarWinds aftermath continues with SolarLeaks

Early this week a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor. The site, using the domain solarleaks.net, displays only a pgp signed message, in which the actors share the links to download the stolen information, ... Read More
"<yoastmark

Using Qiling Framework to Unpack TA505 packed samples

| | Blog, framework, qiling, research, TA505
  Table of Contents Introduction TA505 Packer Qiling Framework Proof of Concept IOC Conclusion References   Introduction  Threat Actors make use of packers when distributing their malware as they remain an effective way to evade detection and to make them more difficult to analyze. Manual analysis can defeat these protections ... Read More