BlueTea Action
The BlueTea Action is a worm that spams the user's e-mail contacts for infecting new victims. The BlueTea Action has strong associations with 'Drive the Life,' a driver updater currently. Users should protect themselves by analyzing all downloads with appropriate anti-malware scanners and have similar services ready for deleting the BlueTea Action on sight.
A Tea that's Generously-Shared Poison
Threat actors not wanting overly-tight control over the distribution of their Trojans and other tools may find numerous advantages out of embedding self-propagation features. Modularity is one way of organizing such attacks without requiring significant work on any primary threat, as readers may see inside the campaigns of the EmPyre backdoor Trojan, the Turla APT's Kazuar, and, as of now, the BlueTea Action and Drive the Life. The innocuously-named BlueTea Action serves as the delivery vehicle for the Drive the Life program, spreading its driver alerts to all of the victim's contact list.
Unlike most threats using similar exploits, Drive the Life is classifiable only as a Potentially Unwanted Program or PUP, instead of being a Trojan with features like non-consensual encryption or C&C connectivity. Malware experts associate it with China mainly, but not exclusively, and it's known for providing questionable update prompts for drivers. As of April 2020, it also employs the BlueTea Action as a module-based component.
The BlueTea Action, on the other hand, is a self-distributing worm and is entirely threatening. It harvests e-mail addresses from the Windows user's contacts lists and spams them with disguised e-mails – most likely, the same kind that's responsible for the first infection. These e-mails use a Coronavirus theme ('The Truth of COVID-19') as the thematic lure for encouraging clicks, with vulnerabilities like CVE-2017-8570 remote code execution, for installing Drive the Life.
Washing Down BlueTea Action with a Taste of Something Safer
Little about BlueTea Action's campaign is unusual, although the addition of a worm for propagation into a PUP isn't the SOP for most threat actors. Attached documents with drive-by-download vulnerabilities, especially, macros, are favorites for compromising vulnerable business or government servers. In the case of BlueTea Action's indiscriminate spam, they also represent just as much of a risk to random Windows users in a recreational or home environment.
Coronavirus also is prominent as part of the themes for circulating Trojans, worms and PUPs. From the CoronaVirus Ransomware's covering for spyware to the 'Get Corona Safety Mask' Scam, these hoaxes are reminders that criminals will stay abreast of current events and subvert them, as necessary. Users should be extra cautious when clicking on links or files involving scarce anti-disease resources or related news, and always install security patches and leave macros off.
At a minimum, all users can protect themselves with proper anti-malware products, which will delete the BlueTea Action as a threat and should remove associated PUPs like Drive the Life, as well.
The BlueTea Action is hard to swallow, but it only takes one poorly-thought-out click to turn one's contact list into a bulletin list of security problems. Whether the BlueTea Action stays in China or roams abroad, it, and the Drive the Life PUP, continue blurring the differences between toxic applications and merely unhelpful ones.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.