The Russia-Ukraine crisis shakes up the cybercriminal ecosystem
Table of Contents Introduction Russian Side UNC1151/Ghostwriter/TA445 The Red Bandits Conti Team Ukrainian side IT Army of Ukraine Anonymous Belarusian Cyber Partisans AgainstTheWest (ATW) Network Battalion 65′ (NB65) Underground forums position Raidforums Russian-speaking top-tier forums Conclusions References Introduction Since Russia launched a large-scale military invasion of Ukraine on February ... Read More
Best of 2021 – State of Underground Card Shops in 2021
(life after Joker’s Stash) Table of Contents Introduction Active credit card shops FERum Shop Brian’s Club Thefreshstuffs Missing Credit Card Shops ValidCC VaultMarket Rescator Conclusions Introduction On February 15, 2021, after nearly 6.5 years in business, the prolific card shop Joker’s Stash closed its doors. Those behind the ... Read More
ShinyHunters leaks Wirecard Brasil data
Summary On November 4 2021, the threat actor known as ShinyHunters leaked data belonging to PagSeguro-owned online payment solution Wirecard Brasil via Raidforums. The data, which is only partially available, included personally identifiable information (PII) and credit card details from one million+ affected customers. Three days later, they shared the ... Read More
What the RAMP leadership change means for cybersecurity
One actor doubles down on ransomware while another promises something “tasty” on the horizon Introduction In July 2021, the Russian-speaking forum RAMP (Ransom Anon Market Place) was unveiled, taking its name as a tribute to the now-closed drug market “Russian Anonymous Market Place” (also referred to as RAMP). Interestingly, ... Read More
Insights about All World Cards and the published 1M credit cards
Table of Contents Introduction Marketing campaign: 1 million credit cards published Analysis of the published credit cards Where were these cards stolen? When were these cards stolen? Geographical distribution of the victims Underground reactions Threat Actors behind All World Cards Conclusions Introduction “All World Cards” is a new underground ... Read More
Leveraging API Hooking for code deobfuscation with Frida
Introduction In this post we will discuss how to employ API hooking, a technique mostly used for binary targets, to deobfuscate malicious scripts. We will use the Frida framework to extract some key information for the analyst, such as the lists of C2 servers within the scripts, in some cases ... Read More
Use of Initial Access Brokers by Ransomware Groups
Initial Access Brokers (IABs) are financially motivated threat actors that profit through the sale of remote access to corporate networks in underground forums, like Exploit, XSS, or Raidforums. The type of accesses offered are mostly Remote Desktop Protocol (RDP), Virtual Private Network (VPN), web shells, and remote access software tools offered ... Read More
Dispelling ROCKYOU2021
Introduction As you may already be aware, a user recently made available a compilation of passwords dubbed ROCKYOU2021 on an underground forum and has since then shared on multiple sites. At Blueliv, we have already seen a few misconceptions regarding this compilation, from news outlets and regular users alike. During ... Read More
An In-Depth analysis of the new Taurus Stealer
Table of contents Introduction Threat Actor Packer Taurus Stealer (Unpacked) C2 Communication Stealer / Grabber C2 Exfiltration Yara MITRE ATT&CK Conclusion IOCs Introduction Taurus Stealer, also known as Taurus or Taurus Project, is a C/C++ information stealing malware that has been in the wild since April 2020. The initial attack ... Read More
FAST FLUX
Fast Flux is a technique that was seen for the first time in 2007 – and that is still used today -which allows attackers to resist dismantling, the ability to hide the true command and control servers, phishing sites, malware or clandestine markets, and take on possible countermeasures and censorship ... Read More