Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities

FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. HAWKBALL is a backdoor that attackers can use to collect...

FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings

This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering FLARE team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware. The script leverages code emulation to overcome...

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...

FLOSS - FireEye Labs Obfuscated String Solver (Automatically extract obfuscated strings from malware)

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key...

Announcing the Fourth Annual Flare-On Challenge

The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering FLARE team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security...

Announcing the Fourth Annual Flare-On Challenge

The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering FLARE team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security...

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

Do You See What I CCM?

SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...

Operations of a Brazilian Payment Card Fraud Group

Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...

Increased Use of WMI for Environment Detection and Evasion

Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...

Announcing the Third Annual Flare-On Challenge

Let fall be the season for reverse engineering! On Sept. 23, 2016, the FireEye Labs Advanced Reverse Engineering FLARE team will be hosting its third annual Flare-On reverse engineering contest with a designated start time of 8pm ET. This is a CTF-style challenge for all active and aspiring rever...

Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)

Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...

Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)

Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

APT Group Sends Spear Phishing Emails to Indian Government Officials

Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...