Blueliv Labs

Blueliv

Introduction Last Tuesday, Feb. 23, 2021, VMWare disclosed two vulnerabilities affecting vCenter Server and Cloud Foundation. Before the publication of the vulnerabilities, the company published a workaround to protect the servers that are meant to be a temporary solution until updates with the security patch can be deployed. This was ... Read More

Early this week a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor. The site, using the domain solarleaks.net, displays only a pgp signed message, in which the actors share the links to download the stolen information, ... Read More

  Table of Contents Introduction TA505 Packer Qiling Framework Proof of Concept IOC Conclusion References   Introduction  Threat Actors make use of packers when distributing their malware as they remain an effective way to evade detection and to make them more difficult to analyze. Manual analysis can defeat these protections ... Read More

  Key Points  Remote Desktop Protocol (RDP) is a built-in part of the Windows toolkit popular for facilitating remote work. Cybercriminals take interest in compromising RDP endpoints as they provide direct access into a victim environment via a graphic interface.   Internet-facing RDP endpoints – colloquially known among cybercriminals simply ... Read More

Key Points  Rooty Dolphin is a threat actor who uses Mekotio to target banks  Mekotio is a banking trojan with Brazilian origins  Rooty Dolphin started targeting South America but moved to Europe some months ago   Introduction  Blueliv Labs has been tracking the activities of different threat actors performing campaigns in Latam and Europe. Initially, ... Read More

GuLoader is one of the most widely used loaders to distribute malware throughout 2020. Among the malware families distributed by GuLoader, we can find FormBook, AgentTesla and other commodity malware. A recent research performed by Check Point suggests that GuLoader code is almost identical to a loader named as CloudEye ... Read More

Key Points The information-stealing malware dubbed M00nD3v Logger was recently auctioned off on Hack Forums, together with HakwEye Reborn. The threat actor – operating under the alias “M00nD3v” – states that they sold the malware in response to being diagnosed with COVID-19. M00nD3v was previously involved in sales of the ... Read More

Key Points The most relevant hacktivist operations in the last 12 months were: #OpIceIsis, #OpChile, #OpChildSafety, #OpKillingBay and #OpBeast. The operation #OpGeorgeFloyd, born after George Floyd was killed by police in Minneapolis in May 2020, amassed 8535 tweets in just three weeks. Hacktivist attacks generally comprise DDoS attacks, publishing confidential ... Read More

In the last article, we have covered the obfuscation techniques used by one of the loaders used by the Maze ransomware. It is recommended to read it before you start with the Maze DLL. In this article we will analyze in detail the obfuscation techniques used by the Maze DLL ... Read More

Throughout this series of articles we will showcase some of the techniques used by the ransomware Maze to make its analysis more difficult. Additionally, a series of scripts will be provided to deobfuscate and better follow the execution flow. Usually the ransomware Maze is in DLL form, which is loaded ... Read More