Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2016/05/12 1:30 p.m.53 views

Cerber Ransomware Partners with the Dridex Spam Distributor

Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/05/12 1:30 p.m.19 views

Cerber Ransomware Partners with the Dridex Spam Distributor

Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...

6.9AI score
Exploits0
FireEye
FireEye
added 2016/05/11 3:0 p.m.201 views

Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks

In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...

7.2CVSS8.2AI score0.05729EPSS
Exploits0
FireEye
FireEye
added 2016/05/11 3:0 p.m.102 views

Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks

In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and execut...

7.2CVSS8.2AI score0.05729EPSS
Exploits0
FireEye
FireEye
added 2016/05/09 2:43 p.m.15 views

Locky Gets Clever!

As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/05/09 10:43 a.m.9 views

Locky Gets Clever!

As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor. FireEye...

7.2AI score
Exploits0
FireEye
FireEye
added 2016/05/05 8:0 a.m.97 views

Exploiting CVE-2016-2060 on Qualcomm Devices

Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can potentially perform activities such as viewing the victim’s SMS database and phone history. The...

9.3CVSS0.2AI score0.00466EPSS
Exploits0
FireEye
FireEye
added 2016/05/04 8:0 a.m.17 views

A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension

Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...

6.7AI score
Exploits0References3
FireEye
FireEye
added 2016/05/04 4:0 a.m.18 views

A Cyber Revolution: Advanced Attacks Increasing in EMEA Reflect Political Tension

Financial, geopolitical and economical changes made 2015 a very busy year for the Europe, Middle East and Africa EMEA region, particularly in the cyber realm. FireEye has been monitoring these shifting cyber trends and has identified considerable evolutions to the EMEA threat landscape when...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/05/03 8:30 a.m.280 views

Deobfuscating Python Bytecode

Introduction During an investigation, the FLARE team came across an interesting Python malware sample MD5: 61a9f80612d3f7566db5bdf37bbf22cf that is packaged using py2exe. Py2exe is a popular way to compile and package Python scripts into executables. When we encounter this type of malware we...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/04/26 12:30 p.m.41 views

RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing

Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...

7.8AI score
Exploits0
FireEye
FireEye
added 2016/04/26 8:30 a.m.24 views

RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS Phishing

Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/04/22 3:0 p.m.12 views

New Downloader for Locky

Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was...

7.5AI score
Exploits0References1
FireEye
FireEye
added 2016/04/22 11:0 a.m.22 views

New Downloader for Locky

Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was...

8AI score
Exploits0
FireEye
FireEye
added 2016/04/21 5:45 p.m.77 views

PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...

9.3CVSS8.1AI score0.99966EPSS
Exploits51
FireEye
FireEye
added 2016/04/21 1:45 p.m.316 views

PowerShell used for spreading Trojan.Laziok through Google Docs

Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the...

9.3CVSS0.7AI score0.99966EPSS
Exploits51
FireEye
FireEye
added 2016/04/20 8:0 p.m.26 views

Follow The Money: Dissecting the Operations of the Cyber Crime Group FIN6

Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often fragmentary, as the full scope of attacker activity typically occurs beyond the view of any one grou...

0.1AI score
Exploits0
FireEye
FireEye
added 2016/04/19 3:30 p.m.14 views

MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry

FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...

7.1AI score
Exploits0References7
FireEye
FireEye
added 2016/04/19 11:30 a.m.30 views

MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry

FireEye recently discovered a new variant of a point of sale POS malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payme...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/04/13 1:0 p.m.58 views

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

10CVSS7.6AI score0.99344EPSS
Exploits10
FireEye
FireEye
added 2016/04/13 9:0 a.m.645 views

Ghosts in the Endpoint

We would like to introduce the first of our “Ghosts in the Endpoint” series, a report prepared by FireEye Labs that documents malicious software not being detected in the wild by traditional signature-based detections. In this study, all the families identified are samples from VirusTotal VT with...

10CVSS9.4AI score0.99344EPSS
Exploits10
FireEye
FireEye
added 2016/04/07 12:30 p.m.57 views

CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit

On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-1019. The in-the-wild...

10CVSS9.3AI score0.44537EPSS
Exploits1References3
FireEye
FireEye
added 2016/04/07 8:30 a.m.272 views

CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit

On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-1019. The in-the-wild...

10CVSS0.2AI score0.44537EPSS
Exploits1
FireEye
FireEye
added 2016/04/04 12:30 p.m.17 views

Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching

Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...

6.7AI score
Exploits0References17
FireEye
FireEye
added 2016/04/04 8:30 a.m.35 views

Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching

Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be lengthy, which negatively impacts developers who need to quickly patch a buggy or insecure app. As a...

0.7AI score
Exploits0
FireEye
FireEye
added 2016/03/28 8:0 a.m.24 views

TREASUREHUNT: A Custom POS Malware Tool

Since early 2015, FireEye Threat Intelligence has observed the significant growth of point-of-sale POS malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and...

7.5AI score
Exploits0
FireEye
FireEye
added 2016/03/25 12:0 p.m.15 views

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/03/25 8:0 a.m.41 views

Surge in Spam Campaign Delivering Locky Ransomware Downloaders

FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike start...

0.3AI score
Exploits0
FireEye
FireEye
added 2016/03/23 8:0 a.m.167 views

99 Problems but Two-Factor Ain’t One

Two-factor authentication is a best practice for securing remote access, but it is also a Holy Grail for a motivated red team. Hiding under the guise of a legitimate user authenticated through multiple credentials is one of the best ways to remain undetected in an environment. Many companies rega...

4.3CVSS0.1AI score0.01995EPSS
Exploits0
FireEye
FireEye
added 2016/03/22 12:0 p.m.94 views

Wiping Out a Malicious Campaign Abusing Chinese Ad Platform

At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...

6.9AI score
Exploits0References1
FireEye
FireEye
added 2016/03/22 8:0 a.m.38 views

Wiping Out a Malicious Campaign Abusing Chinese Ad Platform

At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML redirector instead of shellcode or an exploit in an apparently benign-looking website. This leads...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/03/21 12:30 p.m.27 views

Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...

7AI score
Exploits0
FireEye
FireEye
added 2016/03/21 8:30 a.m.11 views

Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners. Overview Both campaigns used an invoice theme and came from a wide variety of sending...

7.3AI score
Exploits0
FireEye
FireEye
added 2016/03/18 12:30 p.m.40 views

GongDa vs. Korean News

On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...

9.3CVSS9.7AI score0.94996EPSS
Exploits39References2
FireEye
FireEye
added 2016/03/18 8:30 a.m.129 views

GongDa vs. Korean News

On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit EK, potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa is an exploit kit that can compromise vulnerable endpoints by use of exploits, allowing harmful...

9.3CVSS1.3AI score0.94996EPSS
Exploits39
FireEye
FireEye
added 2016/03/15 8:0 a.m.30 views

Citrix XenApp and XenDesktop Hardening Guidance

A Joint Whitepaper from Mandiant and Citrix Throughout the course of Mandiant’s Red Team and Incident Response engagements, we frequently identify a wide array of misconfigured technology solutions, including Citrix XenApp and XenDesktop. We often see attackers leveraging stolen credentials from...

2.9AI score
Exploits0
FireEye
FireEye
added 2016/03/11 5:8 p.m.15 views

A Growing Number of Android Malware Families Believed to Have a Common Origin: A Study Based on Binary Code

Introduction On Feb. 19, IBM XForce researchers released an intelligence report 1 stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated Android malware family that emerged in the Russian-speaking cybercrime underground in late 2014. IB...

0.8AI score
Exploits0
FireEye
FireEye
added 2016/03/09 11:0 a.m.127 views

Lessons from Operation RussianDoll

As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is essential to systematically discover and deflect the coming wave of advanced attacks. Mandiant...

7.2CVSS1.2AI score0.562EPSS
Exploits38
FireEye
FireEye
added 2016/03/08 8:0 a.m.11 views

Relational Learning Tutorial

At FireEye, we apply machine learning techniques to a variety of security problems. Malware detection and categorization is a great use of the technology, and we believe that it can also play a role in security challenges that extend beyond malware. In one such R&D effort, the Innovation & Custom...

1.9AI score
Exploits0
FireEye
FireEye
added 2016/02/23 8:0 a.m.304 views

Using EMET to Disable EMET

UPDATE July 7: This post has been updated in advance of a Black Hat 2016 presentation. Microsoft’s Enhanced Mitigation Experience Toolkit EMET is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside “protected” programs as a...

10CVSS0.2AI score0.75691EPSS
Exploits17
FireEye
FireEye
added 2016/02/18 12:0 p.m.10 views

Maimed Ramnit Still Lurking in the Shadow

Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on the newspaper delivery boy to reading breaking news on ePapers, we lose the subtle art of bug squashing. Instead, we end up exposing ourselves t...

0.4AI score
Exploits0
FireEye
FireEye
added 2016/02/11 7:53 a.m.26 views

Greater Visibility Through PowerShell Logging

UPDATE Feb. 29: This post has been updated with new configuration recommendations due to the Feb. 24 rerelease of PowerShell 5, and now includes a link to a parsing script that users may find valuable. Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout...

0.8AI score
Exploits0
FireEye
FireEye
added 2016/02/09 7:0 a.m.30 views

FLARE Script Series: flare-dbg Plug-ins

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. In this post, we continue to discuss the flare-dbg project. If you haven’t read my first post on using flare-dbg to automate string decoding, be sure to check it out! We created the flare-dbg Pytho...

7.8AI score
Exploits0
FireEye
FireEye
added 2016/01/29 8:0 a.m.32 views

Dridex Botnet Resumes Spam Operations After the Holidays

FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns. Interestingly, their breaks were short. Over the past few weeks they have resumed operations and are building...

1.8AI score
Exploits0
FireEye
FireEye
added 2016/01/28 8:0 a.m.28 views

CenterPOS: An Evolving POS Threat

Introduction There has been no shortage of point-of-sale POS threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in high-profile breaches, some of which involved well-known brick and mortar retailers and led to the...

0.3AI score
Exploits0
FireEye
FireEye
added 2016/01/27 8:0 a.m.30 views

Hot or Not? The Benefits and Risks of iOS Remote Hot Patching

Introduction Apple has made a significant effort to build and maintain a healthy and clean app ecosystem. The essential contributing component to this status quo is the App Store, which is protected by a thorough vetting process that scrutinizes all submitted applications. While the process is...

6.6AI score
Exploits0
FireEye
FireEye
added 2016/01/26 8:0 a.m.31 views

URLZone Zones in on Japan

Recently we’ve seen an interesting trend from several crimeware families that were mainly active in the European region, and have now expanded their activity to Japan. Rovnix is one such family, as recently reported by IBM X-Force. At the same time, we’ve seen another spam campaign break out in...

7.7AI score
Exploits0
FireEye
FireEye
added 2016/01/25 8:0 a.m.21 views

Holiday Season 2015 Email Campaign

The holiday season is a time when many people go on vacation or at least get much-needed downtime from work, but that is not always the case with attackers. To better understand the threats we face during “the most wonderful time of the year,” FireEye Labs has been collecting data on the most...

6.8AI score
Exploits0
FireEye
FireEye
added 2016/01/13 12:30 p.m.18 views

SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign

Introduction Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially realized – thus making for a much more dangerous threat – but that it is also being used as part of an...

0.2AI score
Exploits0
FireEye
FireEye
added 2016/01/13 7:57 a.m.19 views

The Dangers of Downloads: Securing Mobile Devices in 2016

In 2015, mobile malware attacks were on the rise; from 2014 to 2015 we saw an increase of 61% in the number of these attacks. Malware has a clear progression path; it starts out targeting unsuspecting users who are likely to open unknown attachments or install unknown applications. The primary...

1.5AI score
Exploits0
Total number of security vulnerabilities545