Lucene search
+L
FireeyeMost viewed

545 matches found

FireEye
FireEye
added 2019/03/20 3:45 p.m.29 views

SilkETW: Because Free Telemetry is … Free!

Over time people have had an on-again, off-again interest in Event Tracing for Windows ETW. ETW, first introduced in Windows 2000, is a lightweight Kernel level tracing facility that was originally intended for debugging, diagnostics and performance. Gradually, however, defenders realized that ET...

0.1AI score
Exploits0References11
FireEye
FireEye
added 2018/10/23 11:0 a.m.29 views

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ICS at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding...

0.3AI score
Exploits0
FireEye
FireEye
added 2017/07/27 8:0 p.m.29 views

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

1.2AI score
Exploits0
FireEye
FireEye
added 2017/06/12 11:0 a.m.29 views

Behind the CARBANAK Backdoor

In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/03/07 9:0 a.m.29 views

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service FaaS identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/10/07 8:0 a.m.29 views

Increased Use of WMI for Environment Detection and Evasion

Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation WMI queries for environment detection and evasion of dynamic analysis and virtualization engines. WMI provides high-level interaction with Windows objects using C/C++,...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/08/24 7:0 p.m.29 views

M-Trends Asia Pacific: Organizations Must Improve at Detecting and Responding to Breaches

Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of some of the largest and most sophisticated cyber attacks. In February 2016, we released our annual global M-Trends® report based on data from the breaches we responded to in 2015. Now, we are releasing...

1.9AI score
Exploits0
FireEye
FireEye
added 2016/06/28 5:0 a.m.29 views

The Latest Android Overlay Malware Spreading via SMS Phishing in Europe

Introduction In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark February 2016, in Italy February 2016, and in both Denmark and Italy April 2016...

7.2AI score
Exploits0
FireEye
FireEye
added 2020/07/13 12:0 a.m.28 views

SCANdalous! (External Detection Using Network Scan Data and Automation)

Real Quick In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? Yes You Scan”—had another name before today that, for legal reasons, we’re...

7AI score
Exploits0References10
FireEye
FireEye
added 2019/09/07 5:0 p.m.28 views

Open Sourcing StringSifter

Malware analysts routinely use the Strings program during static analysis in order to inspect a binary's printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke...

0.4AI score
Exploits0References12
FireEye
FireEye
added 2019/08/08 8:45 p.m.28 views

Finding Evil in Windows 10 Compressed Memory, Part Three: Automating Undocumented Structure Extraction

This is the final post in the three-part series: Finding Evil in Windows 10 Compressed Memory. In the first post Volatility and Rekall Tools, the FLARE team introduced updates to both memory forensic toolkits. These updates enabled these open source tools to analyze previously inaccessible...

6.9AI score
Exploits0References8
FireEye
FireEye
added 2019/02/28 4:30 p.m.28 views

FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings

This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering FLARE team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware. The script leverages code emulation to overcome...

6.9AI score
Exploits0References11
FireEye
FireEye
added 2017/03/31 10:15 a.m.28 views

Introducing Monitor.app for macOS

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/03/08 12:15 p.m.28 views

Introduction to Reverse Engineering Cocoa Applications

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...

0.6AI score
Exploits0
FireEye
FireEye
added 2016/11/04 4:53 p.m.28 views

2016 Flare-On Challenge Solutions

I would like to thank the challenge authors this year: 1. Alexander Rich 2. Matt Williams @0xmwilliams 3. Dominik Weber 4. James T. Bennett @jtbennettjr 5. Tyler Dean 6. Josh Homan 7. Alex Berry 8. Nick Harbour @nickharbour 9. Jon Erickson @2130706433 10. FireEye Labs Advanced Vulnerability...

6.7AI score
Exploits0
FireEye
FireEye
added 2016/06/23 9:0 a.m.28 views

Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)

Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...

6.9AI score
Exploits0
FireEye
FireEye
added 2016/06/20 8:0 a.m.28 views

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/01/28 8:0 a.m.28 views

CenterPOS: An Evolving POS Threat

Introduction There has been no shortage of point-of-sale POS threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in high-profile breaches, some of which involved well-known brick and mortar retailers and led to the...

0.3AI score
Exploits0
FireEye
FireEye
added 2015/11/16 1:0 p.m.28 views

Pinpointing Targets: Exploiting Web Analytics to Ensnare Victims

Over the past year, FireEye Threat Intelligence has identified suspected nation-state sponsored cyber-actors engaged in a large-scale reconnaissance effort. This effort makes use of web analytics—the technologies to collect, analyze, and report data The individuals behind this activity have amass...

0.3AI score
Exploits0
FireEye
FireEye
added 2019/10/09 9:30 p.m.27 views

Living off the Orchard: Leveraging Apple Remote Desktop for Good and Evil

Attackers often make their lives easier by relying on pre-existing operating system and third party applications in an enterprise environment. Leveraging these applications assists them with blending in with normal network activity and removes the need to develop or bring their own malware. This...

0.1AI score
Exploits0References13
FireEye
FireEye
added 2018/08/08 2:45 p.m.27 views

BIOS Boots What? Finding Evil in Boot Code at Scale!

Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world...

0.3AI score
Exploits0References7
FireEye
FireEye
added 2017/06/12 11:0 a.m.27 views

Behind the CARBANAK Backdoor

In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...

0.3AI score
Exploits0
FireEye
FireEye
added 2017/04/26 8:0 a.m.27 views

Evolving Analytics for Execution Trace Data

Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...

7AI score
Exploits0
FireEye
FireEye
added 2017/03/08 12:15 p.m.27 views

Introduction to Reverse Engineering Cocoa Applications

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...

7.1AI score
Exploits0
FireEye
FireEye
added 2016/06/20 12:0 p.m.27 views

Resurrection of the Evil Miner

At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...

7.2AI score
Exploits0References1
FireEye
FireEye
added 2016/03/21 12:30 p.m.27 views

Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...

7AI score
Exploits0
FireEye
FireEye
added 2016/08/12 10:0 a.m.26 views

Analyzing the Malware Analysts – Inside FireEye’s FLARE Team

At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering FLARE Team. During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book...

1.1AI score
Exploits0
FireEye
FireEye
added 2016/06/07 12:0 p.m.26 views

Rotten Apples: Apple-like Malicious Phishing Domains

At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...

6.7AI score
Exploits0References3
FireEye
FireEye
added 2016/04/20 8:0 p.m.26 views

Follow The Money: Dissecting the Operations of the Cyber Crime Group FIN6

Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often fragmentary, as the full scope of attacker activity typically occurs beyond the view of any one grou...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/02/11 7:53 a.m.26 views

Greater Visibility Through PowerShell Logging

UPDATE Feb. 29: This post has been updated with new configuration recommendations due to the Feb. 24 rerelease of PowerShell 5, and now includes a link to a parsing script that users may find valuable. Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout...

0.8AI score
Exploits0
FireEye
FireEye
added 2015/12/07 8:0 a.m.26 views

Thriving Beyond The Operating System: Financial Threat Group Targets Volume Boot Record

In September, Mandiant Consulting identified a financially motivated threat group targeting payment card data using sophisticated malware that executes before the operating system boots. This rarely seen technique, referred to as a ‘bootkit’, infects lower-level system components making it very...

0.3AI score
Exploits0
FireEye
FireEye
added 2020/08/06 12:0 a.m.25 views

Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach

The FireEye Front Line Applied Research & Expertise FLARE Team attempts to always stay on top of the most current and emerging threats. As a member of the FLARE Reverse Engineer team, I recently received a request to analyze a fairly new credential stealer identified as MassLogger. Despite the la...

0.1AI score
Exploits0References22
FireEye
FireEye
added 2020/03/27 7:0 p.m.25 views

Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks

Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus...

Exploits0References1
FireEye
FireEye
added 2020/03/17 12:0 a.m.25 views

Six Facts about Address Space Layout Randomization on Windows

Overcoming address space layout randomization ASLR is a precondition of virtually all modern memory corruption vulnerabilities. Breaking ASLR is an area of active research and can get incredibly complicated. This blog post presents some basic facts about ASLR, focusing on the Windows...

0.6AI score
Exploits0References9
FireEye
FireEye
added 2017/06/30 7:0 p.m.25 views

Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques

Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/08/03 8:0 a.m.25 views

Overload: Critical Lessons from 15 Years of ICS Vulnerabilities

In the past several years, a flood of vulnerabilities has hit industrial control systems ICS – the technological backbone of electric grids, water supplies, and production lines. These vulnerabilities affect the reliable operation of sensors, programmable controllers, software and networking...

6.8AI score
Exploits0
FireEye
FireEye
added 2021/04/13 12:0 a.m.24 views

M-Trends 2021: A View From the Front Lines

We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination of global events. Business operations shifted in response to the worldwide pandemic and threat actors continued to...

0.6AI score
Exploits0References5
FireEye
FireEye
added 2020/04/07 4:0 p.m.24 views

Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation

This blog post continues the FLARE script series with a discussion of patching IDA Pro database files IDBs to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in...

7.7AI score
Exploits0References7
FireEye
FireEye
added 2019/04/24 5:30 p.m.24 views

CARBANAK Week Part Three: Behind the CARBANAK Backdoor

We covered a lot of ground in Part One and Part Two of our CARBANAK Week blog series. Now let's take a look back at some of our previous analysis and see how it holds up. In June 2017, we published a blog post sharing novel information about the CARBANAK backdoor, including technical details, int...

7.4AI score
Exploits0References8
FireEye
FireEye
added 2018/04/24 3:0 p.m.24 views

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2017/09/19 8:15 p.m.24 views

Introducing pywintrace: A Python Wrapper for ETW

Introduction Event tracing for Windows ETW is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance monitoring tool, it was greatly expanded in Windows Vista to create a lightweight debugging mechanism. The...

6.7AI score
Exploits0References8
FireEye
FireEye
added 2017/09/18 9:0 p.m.24 views

rVMI: Perform Full System Analysis with Ease

Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered through this process is often crucial in gaining a full understanding of a sample. When...

7.1AI score
Exploits0
FireEye
FireEye
added 2017/07/27 8:0 p.m.24 views

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/06/16 8:0 a.m.24 views

FIN10: Anatomy of a Cyber Extortion Operation

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...

3.3AI score
Exploits0
FireEye
FireEye
added 2017/04/17 8:30 a.m.24 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

6.8AI score
Exploits0
FireEye
FireEye
added 2016/10/20 8:0 a.m.24 views

Rotten Apples: Resurgence

In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...

6.9AI score
Exploits0
FireEye
FireEye
added 2016/08/17 12:15 p.m.24 views

Locky Ransomware Distributed Via DOCM Attachments in Latest Email Campaigns

Throughout August, FireEye Labs has observed a few massive email campaigns distributing Locky ransomware. The campaigns have affected various industries, with the healthcare industry being hit the hardest based on our telemetry, as seen in Figure 1. Figure 1. Top 10 affected industries Numerous...

0.3AI score
Exploits0
FireEye
FireEye
added 2016/06/14 8:0 a.m.24 views

Pwned by Vpon

Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...

0.9AI score
Exploits0
FireEye
FireEye
added 2016/04/26 8:30 a.m.24 views

RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing

Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/03/28 8:0 a.m.24 views

TREASUREHUNT: A Custom POS Malware Tool

Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale POS malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and...

7.5AI score
Exploits0
Total number of security vulnerabilities545