545 matches found
Cerber Ransomware Partners with the Dridex Spam Distributor
Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...
Cerber Ransomware Partners with the Dridex Spam Distributor
Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...
Locky Gets Clever!
As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye...
Locky Gets Clever!
As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye...
Exploiting CVE-2016-2060 on Qualcomm Devices
Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. The...
A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension
Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...
A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension
Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...
Deobfuscating Python Bytecode
Introduction During an investigation, the FLARE team came across an interesting Python malware sample MD5: 61a9f80612d3f7566db5bdf37bbf22cf that is packaged using py2exe. Py2exe is a popular way to compile and package Python scripts into executables. When we encounter this type of malware we...
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...
New Downloader for Locky
Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was...
New Downloader for Locky
Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was...
PowerShell used for spreading Trojan.Laziok through Google Docs
Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...
PowerShell used for spreading Trojan.Laziok through Google Docs
Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...
Follow The Money: Dissecting the Operations of the Cyber Crime Group FIN6
Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often fragmentary, as the full scope of attacker activity typically occurs beyond the view of any one grou...
MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry
FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...
MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry
FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...
Ghosts in the Endpoint
We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...
Ghosts in the Endpoint
We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...
CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit
On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-1019. The in-the-wild...
CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit
On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-1019. The in-the-wild...
Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching
Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...
Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching
Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...
TREASUREHUNT: A Custom POS Malware Tool
Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale POS malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and...
Surge in Spam Campaign Delivering Locky Ransomware Downloaders
FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...
Surge in Spam Campaign Delivering Locky Ransomware Downloaders
FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...
99 Problems but Two-Factor Ain’t One
Two-factor authentication is a best practice for securing remote access, but it is also a Holy Grail for a motivated red team. Hiding under the guise of a legitimate user authenticated through multiple credentials is one of the best ways to remain undetected in an environment. Many companies rega...
Wiping Out a Malicious Campaign Abusing Chinese Ad Platform
At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...
Wiping Out a Malicious Campaign Abusing Chinese Ad Platform
At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...
Stop Scanning My Macro
FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...
Stop Scanning My Macro
FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...
GongDa vs. Korean News
On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...
GongDa vs. Korean News
On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...
Citrix XenApp and XenDesktop Hardening Guidance
A Joint Whitepaper from Mandiant and Citrix Throughout the course of Mandiant’s Red Team and Incident Response engagements, we frequently identify a wide array of misconfigured technology solutions, including Citrix XenApp and XenDesktop. We often see attackers leveraging stolen credentials from...
A Growing Number of Android Malware Families Believed to Have a Common Origin: A Study Based on Binary Code
Introduction On Feb. 19, IBM XForce researchers released an intelligence report 1 stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated Android malware family that emerged in the Russian-speaking cybercrime underground in late 2014. IB...
Lessons from Operation RussianDoll
As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks. Mandiant...
Relational Learning Tutorial
At FireEye, we apply machine learning techniques to a variety of security problems. Malware detection and categorization is a great use of the technology, and we believe that it can also play a role in security challenges that extend beyond malware. In one such R&D effort, the Innovation & Custom...
Using EMET to Disable EMET
UPDATE July 7: This post has been updated in advance of a Black Hat 2016 presentation. Microsoft’s Enhanced Mitigation Experience Toolkit EMET is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside “protected” programs as a...
Maimed Ramnit Still Lurking in the Shadow
Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on the newspaper delivery boy to reading breaking news on ePapers, we lose the subtle art of bug squashing. Instead, we end up exposing ourselves t...
Greater Visibility Through PowerShell Logging
UPDATE Feb. 29: This post has been updated with new configuration recommendations due to the Feb. 24 rerelease of PowerShell 5, and now includes a link to a parsing script that users may find valuable. Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout...
FLARE Script Series: flare-dbg Plug-ins
Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. In this post, we continue to discuss the flare-dbg project. If you haven’t read my first post on using flare-dbg to automate string decoding, be sure to check it out! We created the flare-dbg Pytho...
Dridex Botnet Resumes Spam Operations After the Holidays
FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns. Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building...
CenterPOS: An Evolving POS Threat
Introduction There has been no shortage of point-of-sale POS threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in high-profile breaches, some of which involved well-known brick and mortar retailers and led to the...
Hot or Not? The Benefits and Risks of iOS Remote Hot Patching
Introduction Apple has made a significant effort to build and maintain a healthy and clean app ecosystem. The essential contributing component to this status quo is the App Store, which is protected by a thorough vetting process that scrutinizes all submitted applications. While the process is...
URLZone Zones in on Japan
Recently we’ve seen an interesting trend from several crimeware families that were mainly active in the European region, and have now expanded their activity to Japan. Rovnix is one such family, as recently reported by IBM X-Force. At the same time, we’ve seen another spam campaign break out in...
Holiday Season 2015 Email Campaign
The holiday season is a time when many people go on vacation or at least get much-needed downtime from work, but that is not always the case with attackers. To better understand the threats we face during “the most wonderful time of the year,” FireEye Labs has been collecting data on the most...
SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign
Introduction Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized – thus making for a much more dangerous threat – but that it is also being used as part of an...
The Dangers of Downloads: Securing Mobile Devices in 2016
In 2015, mobile malware attacks were on the rise; from 2014 to 2015 we saw an increase of 61% in the number of these attacks. Malware has a clear progression path; it starts out targeting unsuspecting users who are likely to open unknown attachments or install unknown applications. The primary...