Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2018/12/12 5:30 p.m.18 views

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...

6.5AI score
Exploits0References10
FireEye
FireEye
added 2018/12/12 12:30 p.m.16 views

FLARE Script Series: Automating Objective-C Code Analysis with Emulation

This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...

6.1AI score
Exploits0
FireEye
FireEye
added 2018/11/29 12:0 p.m.19 views

Obfuscated Command Line Detection Using Machine Learning

This blog post presents a machine learning ML approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints. We start out with an introduction to this relatively new threat capability, and then discuss how such problems have traditionally bee...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/11/20 5:30 p.m.21 views

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on...

7.1AI score
Exploits0References10
FireEye
FireEye
added 2018/11/20 12:30 p.m.30 views

Cmd and Conquer: De-DOSfuscation with flare-qdb

When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on...

7.2AI score
Exploits0
FireEye
FireEye
added 2018/11/19 5:0 p.m.40 views

Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign

Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the...

0.1AI score
Exploits0
FireEye
FireEye
added 2018/11/14 3:0 p.m.102 views

FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/10/23 11:0 a.m.29 views

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ICS at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/10/11 10:30 a.m.31 views

ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field

Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements ICS Healthcheck performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information...

0.8AI score
Exploits0
FireEye
FireEye
added 2018/10/05 8:0 p.m.267 views

2018 Flare-On Challenge Solutions

We are pleased to announce the conclusion of the fifth annual Flare-On Challenge. The numbers are in and we can safely say that this was by far the most difficult challenge we’ve ever hosted. We plan to reduce the difficulty next year, so it may be that the 114 people who solved this year’s...

1AI score
Exploits0
FireEye
FireEye
added 2018/10/05 10:30 a.m.253 views

FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules. idawasm works on all operating systems supported by IDA Pro, and can be obtained...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/10/03 8:0 a.m.389 views

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/09/20 12:30 p.m.495 views

Increased Use of a Delphi Packer to Evade Malware Classification

Introduction The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild...

7.5AI score
Exploits0
FireEye
FireEye
added 2018/09/19 10:0 a.m.987 views

Click It Up: Targeting Local Government Payment Portals

FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associat...

7.5CVSS0.99993EPSS
Exploits57
FireEye
FireEye
added 2018/09/13 11:0 p.m.12 views

Bypassing Antivirus for Your Antivirus Bypass

Chances are you have heard about how easy it can be to evade antivirus. Often, this is because the signatures used by vendors are too simplistic and can be successfully duped without changing the functionality of the malware. Have you ever attempted to evade AV? Is it really that easy? In this bl...

7AI score
Exploits0References6
FireEye
FireEye
added 2018/09/13 12:0 p.m.522 views

APT10 Targeting Japanese Corporations Using Updated TTPs

Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 Menupass activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, t...

8AI score
Exploits0
FireEye
FireEye
added 2018/09/06 11:0 a.m.2267 views

Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware

Towards the end of August 2018, FireEye identified a new exploit kit EK that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region. The first instance of the campaign was observed on...

7.6CVSS1AI score0.87639EPSS
Exploits9
FireEye
FireEye
added 2018/08/15 11:30 a.m.503 views

Announcing the Fifth Annual Flare-On Challenge

The FireEye Labs Advanced Reverse Engineering FLARE team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, pu...

0.1AI score
Exploits0
FireEye
FireEye
added 2018/08/08 2:45 p.m.27 views

BIOS Boots What? Finding Evil in Boot Code at Scale!

Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world...

0.3AI score
Exploits0References7
FireEye
FireEye
added 2018/08/08 10:45 a.m.498 views

BIOS Boots What? Finding Evil in Boot Code at Scale!

The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot...

6.8AI score
Exploits0
FireEye
FireEye
added 2018/08/01 1:0 p.m.686 views

On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation

FIN7’s Innovation Enabled their Success Throughout FireEye’s tracking of FIN7 campaigns, the attackers have attempted to stay ahead of the game and thwart detection, using novel tactics and displaying characteristics of a well-resourced operation. For example, in April 2017, FireEye blogged about...

6.8AI score
Exploits0
FireEye
FireEye
added 2018/07/26 10:0 a.m.3087 views

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign

Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being...

9.3CVSS1.7AI score0.99945EPSS
Exploits62
FireEye
FireEye
added 2018/07/18 2:0 p.m.176 views

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...

7.2CVSS8.3AI score0.99993EPSS
Exploits59References32
FireEye
FireEye
added 2018/07/18 10:0 a.m.1518 views

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...

7.2CVSS0.99993EPSS
Exploits59
FireEye
FireEye
added 2018/07/10 8:0 p.m.505 views

Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally

Introduction FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/07/10 12:0 p.m.3889 views

Malicious PowerShell Detection via Machine Learning

Introduction Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researcher...

5CVSS8AI score0.99993EPSS
Exploits45
FireEye
FireEye
added 2018/06/28 4:0 p.m.424 views

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...

9.3CVSS9.1AI score0.93165EPSS
Exploits39References5
FireEye
FireEye
added 2018/06/28 12:0 p.m.1659 views

RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique

Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...

9.3CVSS8.8AI score0.93165EPSS
Exploits39
FireEye
FireEye
added 2018/06/18 11:45 a.m.559 views

Bring Your Own Land (BYOL) – A Novel Red Teaming Technique

Introduction One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” LotL techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks...

1.6AI score
Exploits0
FireEye
FireEye
added 2018/06/07 10:0 a.m.529 views

A Totally Tubular Treatise on TRITON and TriStation

Introduction In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For bot...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/06/05 12:30 p.m.496 views

Reverse Engineering the Analyst: Building Machine Learning Models for the SOC

Many cyber incidents can be traced back to an original alert that was either missed or ignored by the Security Operations Center SOC or Incident Response IR team. While most analysts and SOCs are vigilant and responsive, the fact is they are often overwhelmed with alerts. If a SOC is unable to...

7AI score
Exploits0
FireEye
FireEye
added 2018/05/29 5:0 p.m.14 views

Remote Authentication GeoFeasibility Tool - GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...

7.2AI score
Exploits0References4
FireEye
FireEye
added 2018/05/29 1:0 p.m.485 views

Remote Authentication GeoFeasibility Tool - GeoLogonalyzer

Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/05/21 11:15 a.m.523 views

Shining a Light on OAuth Abuse with PwnAuth

Introduction Spear phishing attacks are seen as one of the biggest cyber threats to an organization. It only takes one employee to enter their credentials or run some malware for an entire organization to become compromised. As such, companies devote significant resources to preventing credential...

Exploits0
FireEye
FireEye
added 2018/05/14 9:0 a.m.492 views

A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan

As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit EK. Although the volume o...

Exploits0
FireEye
FireEye
added 2018/05/04 11:0 a.m.498 views

Rooting a Logitech Harmony Hub: Improving Security in Today's IoT World

Introduction FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things IoT device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and...

7.4AI score
Exploits0
FireEye
FireEye
added 2018/04/26 12:15 p.m.497 views

Establishing a Baseline for Remote Desktop Protocol

For IT staff and Windows power users, Microsoft Terminal Services Remote Desktop Protocol RDP is a beneficial tool that allows for the interactive.aspx use or administration of a remote Windows system. However, Mandiant consultants have also observed threat actors using RDP, with compromised doma...

0.3AI score
Exploits0
FireEye
FireEye
added 2018/04/24 3:0 p.m.24 views

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2018/04/24 11:0 a.m.1906 views

Metamorfo Campaigns Targeting Brazilian Users

FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...

Exploits0
FireEye
FireEye
added 2018/04/23 3:0 p.m.40 views

Loading Kernel Shellcode

In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...

7.6AI score
Exploits0References11
FireEye
FireEye
added 2018/04/23 11:0 a.m.513 views

Loading Kernel Shellcode

In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/04/18 2:0 a.m.548 views

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use

UPDATE May 31, 2018: A section of the post on commonly used OpenNIC IPs has been removed to avoid any implication that the OpenNIC IPs are inherently malicious, which is not the case. Introduction Cyber criminals have always been attracted to cryptocurrencies because it provides a certain level o...

7.6AI score
Exploits0
FireEye
FireEye
added 2018/04/10 3:0 p.m.61 views

Solving Ad-hoc Problems with Hex-Rays API

Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...

6.6AI score
Exploits0References7
FireEye
FireEye
added 2018/04/10 11:0 a.m.512 views

Solving Ad-hoc Problems with Hex-Rays API

Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...

6.4AI score
Exploits0
FireEye
FireEye
added 2018/04/05 3:0 p.m.11 views

Fake Software Update Abuses NetSupport Remote Access Tool

Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...

7.8AI score
Exploits0
FireEye
FireEye
added 2018/04/05 11:0 a.m.523 views

Fake Software Update Abuses NetSupport Remote Access Tool

Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...

0.4AI score
Exploits0
FireEye
FireEye
added 2018/04/04 7:0 a.m.498 views

M-Trends 2018

What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain...

0.2AI score
Exploits0
FireEye
FireEye
added 2018/03/23 3:0 p.m.15 views

SANNY Malware Delivery Method Updated in Recently Observed Attacks

Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...

7.7AI score
Exploits0References1
FireEye
FireEye
added 2018/03/23 11:0 a.m.520 views

SANNY Malware Delivery Method Updated in Recently Observed Attacks

Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...

7.9AI score
Exploits0
FireEye
FireEye
added 2018/03/22 11:45 p.m.520 views

DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques

Skilled attackers continually seek out new attack vectors, while employing evasion techniques to maintain the effectiveness of old vectors, in an ever-changing defensive landscape. Many of these threat actors employ obfuscation frameworks for common scripting languages such as JavaScript and...

0.3AI score
Exploits0
Total number of security vulnerabilities545