New BlueFox Stealer IPs Predicted by Augur
There is a new stealer in town. As reported in threat research posts in early November by both Sekoia and Hive Pro, BlueFox is a new MaaS (malware as a service) info stealer being actively promoted on the dark web as BlueFox Stealer V2.
According to the Hive Pro article, the package is being sold for USD $350 per month. Both sources agree that we should expect to see an uptick in threat actors and cyber criminals using this platform to steal credentials from popular browsers and cryptocurrency wallets and grab and download files.
The good news for Augur subscribers is that Augur predicted two of the main IPs used for C2 by BlueFox. Let's take a look at them.
If you are an Augur subscriber, you can follow the links below to get an in-depth look at these IOCs on our threat-hunting platform. You can also track BlueFox activity here.
45[.]8[.]147[.]200 was predicted to be malicious in early Q2 2022, almost six months before the first research and activity reports concerning BlueFox. The IP is part of CIDR 18.104.22.168/24, which was also predicted to be malicious. Since that prediction, all 256 IPs on this CIDR have been reported as malicious. The ASN it belongs to, 44477 (registered to the inventively-named Stark Industries), has 9 Augur predictions against it and more than 75 CIDRs reported as malicious.
This CIDR is associated with Augur Threat Group Profile 151410, which is composed mainly of Chinese and Russian-affiliated APT groups, including Naikon, Saint Bear and APT 29.
94[.]131[.]107[.]223 was predicted to be malicious in Q3 of 2022, just a few months before the first research and activity reports concerning BlueFox. Despite this being a fairly new prediction, 27 IPs in the CIDR this IP belongs to (22.214.171.124/24) have already been reported as malicious by third-party researchers.
This CIDR also belongs to ASN 44477 and is associated with the same Threat Group Profile as 45[.]8[.]147[.]200.
Time to Block!
If you are not an Augur subscriber, we recommend blocking 126.96.36.199/24 and 94[.]131[.]107[.]223 immediately. We also recommend you mitigate risk by blocking all IPs from the CIDRs these IPs belong to (188.8.131.52/24, 184.108.40.206/24) as they either have already been reported or are predicted with a high likelihood to be malicious.
Find Out More
Curious to see how Augur works and how Augur’s predictive intelligence can improve your zero-day protection and overall security posture? You can learn more about how Augur works and how it solves real-world security problems.