545 matches found
Shining a Light on DARKSIDE Ransomware Operations
Update May 14: Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers, and wou...
New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452
Executive Summary In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository. SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities. Mandiant observed SUNSHUTTLE at a victim compromis...
GongDa vs. Korean News
On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...
Lessons from Operation RussianDoll
As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks. Mandiant...
Unique Threats to Operational Technology and Cyber Physical Systems
In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology OT and cyber physical systems with one of our foremost experts on the topic: Nathan Brubaker, Senior Manager of Analysis for Mandiant Threat Intelligence. Nathan kicked off our chat by...
Introducing pywintrace: A Python Wrapper for ETW
Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...
SharPersist: Windows Persistence Toolkit in C#
Background PowerShell has been used by the offensive community for several years now but recent advances in the defensive security industry are causing offensive toolkits to migrate from PowerShell to reflective C to evade modern security products. Some of these advancements include Script Block...
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...
FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)
Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...
Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency “CISA” that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020,...
Detecting Microsoft 365 and Azure Active Directory Backdoors
Mandiant has seen an uptick in incidents involving Microsoft 365 M365 and Azure Active Directory Azure AD. Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site. Other incidents have been a result of...
Definitive Dossier of Devilish Debug Details – Part One: PDB Paths and Malware
Have you ever wondered what goes through the mind of a malware author? How they build their tools? How they organize their development projects? What kind of computers and software they use? We took a stab and answering some of those questions by exploring malware debug information. We find that...
MIRcon 2013 – Day 2 Highlights
Thanks for another wonderful MIRcon®, everyone! It's been an honor to bring together so many leading minds in cybersecurity, and to foster conversations about what we can all do to safeguard the information and innovationson which so much of us rely on. The second and final day of MIRcon 2013...
Analyzing Dark Crystal RAT, a C# Backdoor
The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse engineering malware samples. Recently, FLARE worked on a new C variant of Dark Crystal RAT DCRat that the...
Monitoring Windows Console Activity (Part 2)
This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of Windows. Read our first blog, "Monitoring Windows Console Activity Part 1," for more. Capturing the...
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)
Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...
Embedded Hardware Hacking 101 – The Belkin WeMo Link
Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...
Using Speakeasy Emulation Framework Programmatically to Unpack Malware
Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware...
FLARE VM Update
FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for...
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...
Exploiting CVE-2016-2060 on Qualcomm Devices
Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. The...
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques
Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order to provide seamless execution regardless of application bitness, the WoW Windows on Windows system wa...
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
Summary Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data. The intent of the intrusion was initially unclear because the customer did not...
Embedded Hardware Hacking 101 – The Belkin WeMo Link
Why Embedded Hacking? Devices that are connected to the Internet or run a full operating system are becoming more and more prevalent in today’s society. From devices for locomotives to wireless light switches, the Internet of Things IoT trend is on the rise and here to stay. This has the potentia...
Wiping Out a Malicious Campaign Abusing Chinese Ad Platform
At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...
Back That App Up: Gaining Root on the Lenovo Vibe
In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine VM to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequentl...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell
Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...
The UNC2529 Triple Double: A Trifecta Phishing Campaign
In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded...
Hunting COM Objects (Part Two)
Background As a follow up to Part One in this blog series on COM object hunting, this post will talk about taking the COM object hunting methodology deeper by looking at interesting COM object methods exposed in properties and sub-properties of COM objects. What is a COM Object? According to...
FLARE IDA Pro Script Series: Automatic Recovery of Constructed Strings in Malware
The FireEye Labs Advanced Reverse Engineering FLARE Team is dedicated to sharing knowledge and tools with the community. We started with the release of the FLARE On Challenge in early July where thousands of reverse engineers and security enthusiasts participated. Stay tuned for a write-up of the...
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
UPDATE 2 Nov. 14, 2018: FLARE VM now has a new installation, upgrade, and uninstallation process, and also includes many new tools such as IDA 7.0, radare and YARA. UPDATE April 26, 2018: The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM...
Back That App Up: Gaining Root on the Lenovo Vibe
In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...
Redline: Answering Your Questions
Those of you who attended the "Tools of Engagement: Redline™ - We've Got the Tool, If You've Got the Time" webinar last month by David Ross and myself will recall that we ran short on time while answering all of your questions. The webinar covered the latest updates to Redline, Mandiant's free to...
PowerShell used for spreading Trojan.Laziok through Google Docs
Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...
FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)
Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
Finding Weaknesses Before the Attackers Do
This blog post originally appeared as an article in M-Trends 2019. FireEye Mandiant red team consultants perform objectives-based assessments that emulate real cyber attacks by advanced and nation state attackers across the entire attack lifecycle by blending into environments and observing how...
The FireEye OT-CSIO: An Ontology to Understand, Cross-Compare, and Assess Operational Technology Cyber Security Incidents
The FireEye Operational Technology Cyber Security Incident Ontology OT-CSIO While the number of threats to operational technology OT have significantly increased since the discovery of Stuxnet – driven by factors such as the growing convergence with information technology IT networks and the...
Commando VM 2.0: Customization, Containers, and Kali, Oh My!
The Complete Mandiant Offensive Virtual Machine “Commando VM” swept the penetration testing community by storm when it debuted in early 2019 at Black Hat Asia Arsenal. Our 1.0 release made headway featuring more than 140 tools. Well now we are back again for another spectacular release, this time...
2019 Flare-On Challenge Solutions
We are pleased to announce the conclusion of the sixth annual Flare-On Challenge. The popularity of this event continues to grow and this year we saw a record number of players as well as finishers. We will break down the numbers later in the post, but right now let’s look at the fun stuff: the...
Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication
FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen...
Detecting Embedded Content in OOXML Documents
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML OOXML file format. Additionally, we’re releasing ...
Attacks Leveraging Adobe Zero-Day (CVE-2018-4878) – Threat Attribution, Attack Scenario and Recommendations
On Jan. 31, KISA KrCERT published an advisory about an Adobe Flash zero-day vulnerability CVE-2018-4878 being exploited in the wild. On Feb. 1, Adobe issued an advisory confirming the vulnerability exists in Adobe Flash Player 28.0.0.137 and earlier versions, and that successful exploitation coul...
Staying Hidden on the Endpoint: Evading Detection with Shellcode
True red team assessments require a secondary objective of avoiding detection. Part of the glory of a successful red team assessment is not getting detected by anything or anyone on the system. As modern Endpoint Detection and Response EDR products have matured over the years, the red teams must...
Red Line Drawn: China Recalculates Its Use of Cyber Espionage
On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese...
A Look Back at 2012: The Armory
As we are mere hours away from celebrating 2013, we'd like to focus today on M-Unition's Armory channel. The Armory is the place to be if you want to be the first to find out about the latest releases, free tools and of course, our ever popular M-Trends report. The most popular posts in this...