Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2018/04/10 3:0 p.m.61 views

Solving Ad-hoc Problems with Hex-Rays API

Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...

6.6AI score
Exploits0References7
FireEye
FireEye
added 2017/01/11 8:45 p.m.61 views

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America

Introduction Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had...

7.4AI score
Exploits0
FireEye
FireEye
added 2021/01/21 12:0 a.m.60 views

Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction

Highlights Perform a case study on using Transformer models to solve cyber security problems Train a Transformer model to detect malicious URLs under multiple training regimes Compare our model against other deep learning methods, and show it performs on-par with other top-scoring models Identify...

0.1AI score
Exploits0References13
FireEye
FireEye
added 2021/01/19 12:0 a.m.60 views

Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452

UPDATE Oct. 28, 2021: Mandiant has recently observed targeted threat actors using EWS impersonation via the ApplicationImpersonation role to maintain persistent access to mailboxes in victim environments. Once the threat actor has access to this role, its abuse is hard to detect and provides the...

1.6AI score
Exploits0References15
FireEye
FireEye
added 2016/06/20 8:0 a.m.59 views

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

7AI score
Exploits0
FireEye
FireEye
added 2016/05/14 12:0 a.m.58 views

CVE-2016-4117: Flash Zero-Day Exploited in the Wild

On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-4117 and reported the issue to the Adobe Product Security Incident Response Team PSIRT. Adobe released a patch for the vulnerability in APSB16-15 just four days later. Attackers...

10CVSS8.9AI score0.94354EPSS
Exploits6References1
FireEye
FireEye
added 2016/04/13 1:0 p.m.58 views

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

10CVSS7.6AI score0.99344EPSS
Exploits10
FireEye
FireEye
added 2017/05/04 12:30 p.m.57 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

7.3AI score
Exploits0
FireEye
FireEye
added 2016/04/07 12:30 p.m.57 views

CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit

On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-1019. The in-the-wild...

10CVSS9.3AI score0.44537EPSS
Exploits1References3
FireEye
FireEye
added 2021/09/01 3:30 p.m.55 views

Too Log; Didn't Read — Unknown Actor Using CLFS Log Files for Stealth

The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed...

0.2AI score
Exploits0References5
FireEye
FireEye
added 2016/08/03 4:30 a.m.54 views

FakeNet-NG: Next Generation Dynamic Network Analysis Tool

As a reverse engineer on the FLARE FireEye Labs Advanced Reverse Engineering team, I regularly perform basic dynamic analysis of malware samples. The goal is to quickly observe runtime characteristics by running binaries in a safe environment. One important task during dynamic analysis is to...

Exploits0
FireEye
FireEye
added 2017/07/25 1:0 p.m.53 views

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/11/09 8:0 a.m.53 views

Extending Linux Executable Logging With The Integrity Measurement Architecture

Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...

7.4AI score
Exploits0
FireEye
FireEye
added 2016/05/12 1:30 p.m.53 views

Cerber Ransomware Partners with the Dridex Spam Distributor

Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...

0.1AI score
Exploits0
FireEye
FireEye
added 2021/08/12 3:30 p.m.52 views

Announcing the Eighth Annual Flare-On Challenge

The FLARE team is once again hosting its annual Flare-On challenge, now in its eighth year. Take this opportunity to enjoy some extreme social distancing by solving fun puzzles to test your mettle and learn new tricks on your path to reverse engineering excellence. The contest will begin at 8:00...

7.2AI score
Exploits0References1
FireEye
FireEye
added 2019/04/16 7:0 a.m.52 views

Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control C&C server. The email was received...

7.4AI score
Exploits0References3
FireEye
FireEye
added 2017/03/15 8:48 a.m.52 views

Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits

Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are...

6.6AI score
Exploits0
FireEye
FireEye
added 2014/06/24 10:0 a.m.52 views

Turing Test in Reverse: New Sandbox-Evasion Techniques Seek Human Interaction

Last year, we published a paper titled Hot Knives Through Butter, Evading File-Based Sandboxes. In this paper, we explained many sandbox evasion methods--and today's blog post adds to our growing catalog. In the past, for example, we detailed the inner workings of a Trojan we dubbed UpClicker. Th...

0.1AI score
Exploits0
FireEye
FireEye
added 2017/09/19 4:15 p.m.51 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0
FireEye
FireEye
added 2020/01/31 12:0 a.m.50 views

Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D

DLL Abuse Techniques Overview Dynamic-link library DLL side-loading occurs when Windows Side-by-Side WinSxS manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious...

Exploits0References26
FireEye
FireEye
added 2020/10/14 12:0 a.m.49 views

FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN or financially motivated threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free. In...

1.3AI score
Exploits0References4
FireEye
FireEye
added 2017/05/23 1:30 p.m.49 views

WannaCry Malware Profile

WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...

Exploits0
FireEye
FireEye
added 2017/03/27 8:0 a.m.48 views

APT29 Domain Fronting With TOR

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques...

7.7AI score
Exploits0
FireEye
FireEye
added 2017/01/09 11:0 a.m.48 views

Credit Card Data and Other Information Targeted in Netflix Phishing Campaign

Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...

6.9AI score
Exploits0
FireEye
FireEye
added 2012/06/28 4:2 p.m.47 views

Unibody Memory Analysis -- Introducing Memoryze™ for the Mac 1.0

Today, Mandiant is introducing a new free tool, Memoryze™ for the Mac 1.0, which brings memory imaging and analysis to the Mac. It joins a growing list of freeware tools Mandiant currently provides. Memoryze™ for the Mac 1.0 brings many of the features of Memoryze™ to the Apple Macintosh platform...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/06/02 1:0 p.m.46 views

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...

9.3CVSS9.7AI score0.94996EPSS
Exploits39References6
FireEye
FireEye
added 2017/05/26 11:0 a.m.46 views

SMB Exploited: WannaCry Use of "EternalBlue"

Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/12/15 8:0 a.m.46 views

Do You See What I CCM?

SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...

7.1AI score
Exploits0
FireEye
FireEye
added 2015/12/28 9:1 a.m.46 views

FLARE Script Series: Automating Obfuscated String Decoding

Introduction We are expanding our script series beyond IDA Pro. This post extends the FireEye Labs Advanced Reverse Engineering FLARE script series to an invaluable tool for the reverse engineer – the debugger. Just like IDA Pro, debuggers have scripting interfaces. For example, OllyDbg uses an...

6.5AI score
Exploits0
FireEye
FireEye
added 2020/07/16 12:0 a.m.45 views

capa: Automatically Identify Malware Capabilities

capa is the FLARE team’s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware. Regardless of your background, when you use capa, you invoke decades of cumulative reverse...

7.4AI score
Exploits0References14
FireEye
FireEye
added 2017/08/22 2:0 p.m.45 views

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...

9.3CVSS9AI score0.94996EPSS
Exploits50References15
FireEye
FireEye
added 2016/08/18 8:0 a.m.45 views

WMI vs. WMI: Monitoring for Malicious Activity

Hello my name is: WMI WMI has been a core component of Windows since Windows 98, but it is not exactly old wine in a new bottle. WMI more closely resembles that bottle of ‘61 Bordeaux wine that continues to impress us as it ages and matures. WMI was developed as Microsoft’s interpretation of...

0.2AI score
Exploits0
FireEye
FireEye
added 2021/09/08 2:0 p.m.44 views

Pro-PRC Influence Campaign Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages, Attempted to Physically Mobilize Protesters in the U.S.

In June 2019, Mandiant Threat Intelligence first reported to customers a pro-People’s Republic of China PRC network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube, that was at that time primarily focused on discrediting pro-democracy protests in Hong Kong. Since then, the...

6.9AI score
Exploits0References8
FireEye
FireEye
added 2017/04/06 3:0 p.m.44 views

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat

APT10 Background APT10 MenuPass Group is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/01/04 2:2 p.m.44 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.8AI score0.24554EPSS
Exploits10References4
FireEye
FireEye
added 2016/07/18 8:0 a.m.44 views

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...

0.3AI score
Exploits0
FireEye
FireEye
added 2017/03/27 8:0 a.m.43 views

APT29 Domain Fronting With TOR

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques...

0.4AI score
Exploits0
FireEye
FireEye
added 2020/11/22 12:0 a.m.42 views

Election Cyber Threats in the Asia-Pacific Region

In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the people and parties that will shape a country's future path and to reduce uncertainty about likel...

1AI score
Exploits0References3
FireEye
FireEye
added 2020/08/26 12:0 a.m.42 views

Emulation of Malicious Shellcode With Speakeasy

In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom...

0.7AI score
Exploits0References2
FireEye
FireEye
added 2017/05/04 12:30 p.m.42 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/11/04 4:53 p.m.42 views

2016 Flare-On Challenge Solutions

I would like to thank the challenge authors this year: 1. Alexander Rich 2. Matt Williams @0xmwilliams 3. Dominik Weber 4. James T. Bennett @jtbennettjr 5. Tyler Dean 6. Josh Homan 7. Alex Berry 8. Nick Harbour @nickharbour 9. Jon Erickson @2130706433 10. FireEye Labs Advanced Vulnerability...

0.7AI score
Exploits0
FireEye
FireEye
added 2016/10/07 8:0 a.m.41 views

Increased Use of WMI for Environment Detection and Evasion

Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...

7.4AI score
Exploits0
FireEye
FireEye
added 2016/04/26 12:30 p.m.41 views

RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing

Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...

7.8AI score
Exploits0
FireEye
FireEye
added 2016/03/25 8:0 a.m.41 views

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/11/19 5:0 p.m.40 views

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the...

0.1AI score
Exploits0
FireEye
FireEye
added 2018/04/23 3:0 p.m.40 views

Loading Kernel Shellcode

In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...

7.6AI score
Exploits0References11
FireEye
FireEye
added 2017/04/24 10:30 a.m.40 views

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/03/14 8:0 a.m.40 views

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional the Americas, APAC and EMEA analysis focused on attack trends, and defensive and...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/03/18 12:30 p.m.40 views

GongDa vs. Korean News

On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...

9.3CVSS9.7AI score0.94996EPSS
Exploits39References2
FireEye
FireEye
added 2021/09/15 1:0 p.m.39 views

ELFant in the Room – capa v3

Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format ELF files, such as...

0.1AI score
Exploits0References10
Total number of security vulnerabilities545