545 matches found
Credit Card Data and Other Information Targeted in Netflix Phishing Campaign
Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...
RIPPER ATM Malware and the 12 Million Baht Jackpot
On Aug. 23, 2016, FireEye detected a potentially new ATM malware sample that used some interesting techniques not seen before. To add more fuel to an existing fire, the sample was uploaded to VirusTotal from an IP address in Thailand a couple of minutes before the Bangkok Post newspaper reported...
Pwned by Vpon
Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...
Angler Exploit Kit Evading EMET
We recently encountered some exploits from Angler Exploit Kit EK that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit EMET. This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex...
Cerber Ransomware Partners with the Dridex Spam Distributor
Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...
The Dangers of Downloads: Securing Mobile Devices in 2016
In 2015, mobile malware attacks were on the rise; from 2014 to 2015 we saw an increase of 61% in the number of these attacks. Malware has a clear progression path; it starts out targeting unsuspecting users who are likely to open unknown attachments or install unknown applications. The primary...
A "DFUR-ent" Perspective on Threat Modeling and Application Log Forensic Analysis
Many organizations operating in e-commerce, hospitality, healthcare, managed services, and other service industries rely on web applications. And buried within the application logs may be the potential discovery of fraudulent use and/or compromise! But, let's face it, finding evil in application...
Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya
In December 2019, we published a blog post on augmenting analysis using Microsoft Excel for various data sets for incident response investigations. As we described, investigations often include custom or proprietary log formats and miscellaneous, non-traditional forensic artifacts. There are, of...
FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG
As developers of the network simulation tool FakeNet-NG, reverse engineers on the FireEye FLARE team, and malware analysis instructors, we get to see how different analysts use FakeNet-NG and the challenges they face. We have learned that FakeNet-NG provides many useful features and solutions of...
STOMP 2 DIS: Brilliance in the (Visual) Basics
Throughout January 2020, FireEye has continued to observe multiple targeted phishing campaigns designed to download and deploy a backdoor we track as MINEBRIDGE. The campaigns primarily targeted financial services organizations in the United States, though targeting is likely more widespread than...
SAIGON, the Mysterious Ursnif Fork
Ursnif aka Gozi/Gozi-ISFB is one of the oldest banking malware families still in active distribution. While the first major version of Ursnif was identified in 2006, several subsequent versions have been released in large part due source code leaks. FireEye reported on a previously unidentified...
IDA, I Think It’s Time You And I Had a Talk: Controlling IDA Pro With Voice Control Software
Introduction This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing something quite unusual. It is not a tool or a virtual machine distribution, nor is it a plugin or script for a popular reverse engineering tool or...
Head Fake: Tackling Disruptive Ransomware Attacks
Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational succes...
Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and Rekall Tools
Paging all digital forensicators, incident responders, and memory manager enthusiasts! Have you ever found yourself at a client site working around the clock to extract evil from a Windows 10 image? Have you hit the wall at step zero, running into difficulties viewing a process tree, or enumerati...
FLARE Script Series: Automating Objective-C Code Analysis with Emulation
This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...
Evolving Analytics for Execution Trace Data
Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...
Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits
Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are...
Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...
‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to b...
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 referred to as the “Zycode” phishing campaign. At FireEye Labs we have an automated system designed to proactively detect newly...
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyb...
Analyzing the Malware Analysts – Inside FireEye’s FLARE Team
At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering FLARE Team. During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book...
Red Line Drawn: China Recalculates Its Use of Cyber Espionage
On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese...
Angler Exploit Kit Evading EMET
We recently encountered some exploits from Angler Exploit Kit EK that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit EMET. This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex...
Targeted Attacks against Banks in the Middle East
UPDATE Dec. 8, 2017: We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East. Introduction In the first week ...
A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension
Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...
SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign
Introduction Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized – thus making for a much more dangerous threat – but that it is also being used as part of an...
FLARE IDA Pro Script Series: Automating Function Argument Extraction
...
COOKIEJAR: Tracking Adversaries With FireEye Endpoint Security’s Logon Tracker Module
During a recent investigation at a telecommunications company led by Mandiant Managed Defense, our team was tasked with rapidly identifying systems that had been accessed by a threat actor using legitimate, but compromised domain credentials. This sometimes-challenging task was made simple becaus...
FIDL: FLARE’s IDA Decompiler Library
IDA Pro and the Hex Rays decompiler are a core part of any toolkit for reverse engineering and vulnerability research. In a previous blog post we discussed how the Hex-Rays API can be used to solve small, well-defined problems commonly seen as part of malware analysis. Having access to a...
Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic Deep Dive into Data Driven Deductions
In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors. As Steve continued his research into PDB paths, we became interested in...
CARBANAK Week Part Four: The CARBANAK Desktop Video Player
Part One, Part Two and Part Three of CARBANAK Week are behind us. In this final blog post, we dive into one of the more interesting tools that is part of the CARBANAK toolset. The CARBANAK authors wrote their own video player and we happened to come across an interesting video capture from CARBAN...
Churning Out Machine Learning Models: Handling Changes in Model Predictions
Introduction Machine learning ML is playing an increasingly important role in cyber security. Here at FireEye, we employ ML for a variety of tasks such as: antivirus, malicious PowerShell detection, and correlating threat actor behavior. While many people think that a data scientist’s job is...
Announcing the Fourth Annual Flare-On Challenge
The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering FLARE team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
Extending Linux Executable Logging With The Integrity Measurement Architecture
Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil ...
Announcing the Third Annual Flare-On Challenge
Let fall be the season for reverse engineering! On Sept. 23, 2016, the FireEye Labs Advanced Reverse Engineering FLARE team will be hosting its third annual Flare-On reverse engineering contest with a designated start time of 8pm ET. This is a CTF-style challenge for all active and aspiring rever...
Red Team Tool Roundup
In many cases Red Team tools are not written because someone feels like writing a tool, or wakes up one morning thinking, “I want to write a tool today”. Red Teamers generally identify tedious tasks in their methodology and then create tools that automate these tasks for current and future...
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...
IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE...
Ransomware Activity Spikes in March, Steadily increasing throughout 2016
UPDATE June 15, 2016: This post has been updated to include new data on ransomware activity, which is also now broken down by region. Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at lengt...
A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension
Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...
Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching
Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...
SlemBunk: An Evolving Android Trojan Family Targeting Users of Worldwide Banking Apps
FireEye mobile researchers recently identified a series of Android trojan apps that are designed to imitate the legitimate apps of 33 financial management institutions and service providers across the globe. We dub the family “SlemBunk,” and have seen it covering three major continents: North...
ModPOS: Highly-Sophisticated, Stealthy Malware Targeting US POS Systems with High Likelihood of Broader Campaigns
Today, iSIGHT Partners is sharing details about a highly sophisticated criminal malware framework that has been used to target point-of-sale POS systems at US-based retailers. We believe this very hard to detect malware is likely being used in broader campaigns and are disclosing details to help...
XcodeGhost S: A New Breed Hits the US
Just over a month ago, iOS users were warned of the threat to their devices by the XcodeGhost malware. Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities. Through continuous monitoring of our customers’ networks,...
General Michael Hayden Talks about the Future of Cybersecurity at MIRcon 2013
When you've got some of the cybersecurity industry's best and brightest practitioners in one room, just how do you top the conversations they're having across the breakfast table? By getting one of the foremost experts on cybersecurity to deliver a top notch speech on the future of the industry,...
A Hands-On Introduction to Mandiant's Approach to OT Red Teaming
Operational technology OT asset owners have historically considered red teaming of OT and industrial control system ICS networks to be too risky due to the potential for disruptions or adverse impact to production systems. While this mindset has remained largely unchanged for years, Mandiant's...
Announcing the Seventh Annual Flare-On Challenge
The Front Line Applied Research & Expertise FLARE team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against our passion for creating challenging and fun puzzles to test and hone the skills of aspiring a...
It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit
When we discover new intrusions, we ask ourselves questions that will help us understand the totality of the activity set. How common is this activity? Is there anything unique or special about this malware or campaign? What is new and what is old in terms of TTPs or infrastructure? Is this being...