545 matches found
SilkETW: Because Free Telemetry is … Free!
Over time people have had an on-again, off-again interest in Event Tracing for Windows ETW. ETW, first introduced in Windows 2000, is a lightweight Kernel level tracing facility that was originally intended for debugging, diagnostics and performance. Gradually, however, defenders realized that ET...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ICS at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding...
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...
Behind the CARBANAK Backdoor
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...
FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
In late February 2017, FireEye as a Service FaaS identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of...
Increased Use of WMI for Environment Detection and Evasion
Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...
M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches
Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing...
The Latest Android Overlay Malware Spreading via SMS Phishing in Europe
Introduction In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark February 2016, in Italy February 2016, and in both Denmark and Italy April 2016...
SCANdalous! (External Detection Using Network Scan Data and Automation)
Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? Yes You Scan”—had another name before today that, for legal reasons, we’re...
Open Sourcing StringSifter
Malware analysts routinely use the Strings program during static analysis in order to inspect a binary's printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke...
Finding Evil in Windows 10 Compressed Memory, Part Three: Automating Undocumented Structure Extraction
This is the final post in the three-part series: Finding Evil in Windows 10 Compressed Memory. In the first post Volatility and Rekall Tools, the FLARE team introduced updates to both memory forensic toolkits. These updates enabled these open source tools to analyze previously inaccessible...
FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings
This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering FLARE team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware. The script leverages code emulation to overcome...
Introducing Monitor.app for macOS
As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the...
Introduction to Reverse Engineering Cocoa Applications
While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...
2016 Flare-On Challenge Solutions
I would like to thank the challenge authors this year: 1. Alexander Rich 2. Matt Williams @0xmwilliams 3. Dominik Weber 4. James T. Bennett @jtbennettjr 5. Tyler Dean 6. Josh Homan 7. Alex Berry 8. Nick Harbour @nickharbour 9. Jon Erickson @2130706433 10. FireEye Labs Advanced Vulnerability...
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...
Resurrection of the Evil Miner
At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...
CenterPOS: An Evolving POS Threat
Introduction There has been no shortage of point-of-sale POS threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in high-profile breaches, some of which involved well-known brick and mortar retailers and led to the...
Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims
Over the past year, FireEye Threat Intelligence has identified suspected nation-state sponsored cyber-actors engaged in a large-scale reconnaissance effort. This effort makes use of web analytics—the technologies to collect, analyze, and report data The individuals behind this activity have amass...
Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil
Attackers often make their lives easier by relying on pre-existing operating system and third party applications in an enterprise environment. Leveraging these applications assists them with blending in with normal network activity and removes the need to develop or bring their own malware. This...
BIOS Boots What? Finding Evil in Boot Code at Scale!
Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world...
Behind the CARBANAK Backdoor
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...
Evolving Analytics for Execution Trace Data
Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...
Introduction to Reverse Engineering Cocoa Applications
While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...
Resurrection of the Evil Miner
At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...
Stop Scanning My Macro
FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...
Analyzing the Malware Analysts – Inside FireEye’s FLARE Team
At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering FLARE Team. During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
Follow The Money: Dissecting the Operations of the Cyber Crime Group FIN6
Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often fragmentary, as the full scope of attacker activity typically occurs beyond the view of any one grou...
Greater Visibility Through PowerShell Logging
UPDATE Feb. 29: This post has been updated with new configuration recommendations due to the Feb. 24 rerelease of PowerShell 5, and now includes a link to a parsing script that users may find valuable. Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout...
Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record
In September, Mandiant Consulting identified a financially motivated threat group targeting payment card data using sophisticated malware that executes before the operating system boots. This rarely seen technique, referred to as a ‘bootkit’, infects lower-level system components making it very...
Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach
The FireEye Front Line Applied Research & Expertise FLARE Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the la...
Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks
Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus...
Six Facts about Address Space Layout Randomization on Windows
Overcoming address space layout randomization ASLR is a precondition of virtually all modern memory corruption vulnerabilities. Breaking ASLR is an area of active research and can get incredibly complicated. This blog post presents some basic facts about ASLR, focusing on the Windows...
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
In the past several years, a flood of vulnerabilities has hit industrial control systems ICS – the technological backbone of electric grids, water supplies, and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking...
M-Trends 2021: A View From the Front Lines
We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to...
Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation
This blog post continues the FLARE script series with a discussion of patching IDA Pro database files IDBs to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in...
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
We covered a lot of ground in Part One and Part Two of our CARBANAK Week blog series. Now let's take a look back at some of our previous analysis and see how it holds up. In June 2017, we published a blog post sharing novel information about the CARBANAK backdoor, including technical details, int...
Metamorfo Campaigns Targeting Brazilian Users
FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...
Introducing pywintrace: A Python Wrapper for ETW
Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...
rVMI: Perform Full System Analysis with Ease
Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...
FIN10: Anatomy of a Cyber Extortion Operation
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...
Writing a libemu/Unicorn Compatability Layer
In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...
Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns
Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry, as seen in Figure 1. Figure 1. Top 10 affected industries Numerous...
Pwned by Vpon
Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...
TREASUREHUNT: A Custom POS Malware Tool
Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale POS malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and...