545 matches found
FLARE Script Series: Automating Objective-C Code Analysis with Emulation
This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...
FLARE Script Series: Automating Objective-C Code Analysis with Emulation
This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering FLARE team Script Series. Today, we are sharing a new IDAPython library – flare-emu – powered by IDA Pro and the Unicorn emulation framework that provides scriptable emulation features for the x86, x8664, ARM, and...
Obfuscated Command Line Detection Using Machine Learning
This blog post presents a machine learning ML approach to solving an emerging security problem: detecting obfuscated Windows command line invocations on endpoints. We start out with an introduction to this relatively new threat capability, and then discuss how such problems have traditionally bee...
Cmd and Conquer: De-DOSfuscation with flare-qdb
When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on...
Cmd and Conquer: De-DOSfuscation with flare-qdb
When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on...
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
Introduction FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the...
FLARE VM Update
FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many reverse engineers, malware analysts, and security researchers as their go-to environment for...
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
Overview In a previous blog post we detailed the TRITON intrusion that impacted industrial control systems ICS at a critical infrastructure facility. We now track this activity set as TEMP.Veles. In this blog post we provide additional information linking TEMP.Veles and their activity surrounding...
ICS Tactical Security Trends: Analysis of the Most Frequent Security Risks Observed in the Field
Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements ICS Healthcheck performed by Mandiant, FireEye's consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information...
2018 Flare-On Challenge Solutions
We are pleased to announce the conclusion of the fifth annual Flare-On Challenge. The numbers are in and we can safely say that this was by far the most difficult challenge we’ve ever hosted. We plan to reduce the difficulty next year, so it may be that the 114 people who solved this year’s...
FLARE Script Series: Reverse Engineering WebAssembly Modules Using the idawasm IDA Pro Plugin
Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce idawasm, an IDA Pro plugin that provides a loader and processor modules for WebAssembly modules. idawasm works on all operating systems supported by IDA Pro, and can be obtained...
APT38: Details on New North Korean Regime-Backed Threat Group
Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim...
Increased Use of a Delphi Packer to Evade Malware Classification
Introduction The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools. Evasion of classification and detection is an arms race in which new techniques are traded and used in the wild...
Click It Up: Targeting Local Government Payment Portals
FireEye has been tracking a campaign this year targeting web payment portals that involves on-premise installations of Click2Gov. Click2Gov is a web-based, interactive self-service bill-pay software solution developed by Superion. It includes various modules that allow users to pay bills associat...
Bypassing Antivirus for Your Antivirus Bypass
Chances are you have heard about how easy it can be to evade antivirus. Often, this is because the signatures used by vendors are too simplistic and can be successfully duped without changing the functionality of the malware. Have you ever attempted to evade AV? Is it really that easy? In this bl...
APT10 Targeting Japanese Corporations Using Updated TTPs
Introduction In July 2018, FireEye devices detected and blocked what appears to be APT10 Menupass activity targeting the Japanese media sector. APT10 is a Chinese cyber espionage group that FireEye has tracked since 2009, and they have a history of targeting Japanese entities. In this campaign, t...
Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware
Towards the end of August 2018, FireEye identified a new exploit kit EK that was being served up as part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region. The first instance of the campaign was observed on...
Announcing the Fifth Annual Flare-On Challenge
The FireEye Labs Advanced Reverse Engineering FLARE team’s annual reverse engineering challenge will start at 8:00 p.m. ET on Aug. 24, 2018. This is a CTF-style challenge for all active and aspiring reverse engineers, malware analysts, and security professionals. So dust off your disassembler, pu...
BIOS Boots What? Finding Evil in Boot Code at Scale!
Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world...
BIOS Boots What? Finding Evil in Boot Code at Scale!
The second issue is that reverse engineering all boot records is impractical. Given the job of determining if a single system is infected with a bootkit, a malware analyst could acquire a disk image and then reverse engineer the boot bytes to determine if anything malicious is present in the boot...
On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation
FIN7’s Innovation Enabled their Success Throughout FireEye’s tracking of FIN7 campaigns, the attackers have attempted to stay ahead of the game and thwart detection, using novel tactics and displaying characteristics of a well-resourced operation. For example, in April 2017, FireEye blogged about...
Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Campaign Details In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being...
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners
Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners
Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and...
Chinese Espionage Group TEMP.Periscope Targets Cambodia Ahead of July 2018 Elections and Reveals Broad Operations Globally
Introduction FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with...
Malicious PowerShell Detection via Machine Learning
Introduction Cyber security vendors and researchers have reported for years how PowerShell is being used by cyber threat actors to install backdoors, execute malicious code, and otherwise achieve their objectives within enterprises. Security is a cat-and-mouse game between adversaries, researcher...
RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique
Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...
RIG Exploit Kit Delivering Monero Miner Via PROPagate Injection Technique
Introduction Through FireEye Dynamic Threat Intelligence DTI, we observed RIG Exploit Kit EK delivering a dropper that leverages the PROPagate injection technique to inject code that downloads and executes a Monero miner similar activity has been reported by Trend Micro. Apart from leveraging a...
Bring Your Own Land (BYOL) – A Novel Red Teaming Technique
Introduction One of most significant recent developments in sophisticated offensive operations is the use of “Living off the Land” LotL techniques by attackers. These techniques leverage legitimate tools present on the system, such as the PowerShell scripting language, in order to execute attacks...
A Totally Tubular Treatise on TRITON and TriStation
Introduction In December 2017, FireEye's Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For bot...
Reverse Engineering the Analyst: Building Machine Learning Models for the SOC
Many cyber incidents can be traced back to an original alert that was either missed or ignored by the Security Operations Center SOC or Incident Response IR team. While most analysts and SOCs are vigilant and responsive, the fact is they are often overwhelmed with alerts. If a SOC is unable to...
Remote Authentication GeoFeasibility Tool - GeoLogonalyzer
Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...
Remote Authentication GeoFeasibility Tool - GeoLogonalyzer
Users have long needed to access important resources such as virtual private networks VPNs, web applications, and mail servers from anywhere in the world at any time. While the ability to access resources from anywhere is imperative for employees, threat actors often leverage stolen credentials t...
Shining a Light on OAuth Abuse with PwnAuth
Introduction Spear phishing attacks are seen as one of the biggest cyber threats to an organization. It only takes one employee to enter their credentials or run some malware for an entire organization to become compromised. As such, companies devote significant resources to preventing credential...
A Deep Dive Into RIG Exploit Kit Delivering Grobios Trojan
As discussed in previous blogs, exploit kit activity has been on the decline since the latter half of 2016. However, we do still periodically observe significant developments in this space, and we have been observing interesting ongoing activity involving RIG Exploit Kit EK. Although the volume o...
Rooting a Logitech Harmony Hub: Improving Security in Today's IoT World
Introduction FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things IoT device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and...
Establishing a Baseline for Remote Desktop Protocol
For IT staff and Windows power users, Microsoft Terminal Services Remote Desktop Protocol RDP is a beneficial tool that allows for the interactive.aspx use or administration of a remote Windows system. However, Mandiant consultants have also observed threat actors using RDP, with compromised doma...
Metamorfo Campaigns Targeting Brazilian Users
FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...
Metamorfo Campaigns Targeting Brazilian Users
FireEye Labs recently identified several widespread malspam malware spam campaigns targeting Brazilian companies with the goal of delivering banking Trojans. We are referring to these campaigns as Metamorfo. Across the stages of these campaigns, we have observed the use of several tactics and...
Loading Kernel Shellcode
In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...
Loading Kernel Shellcode
In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around...
How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use
UPDATE May 31, 2018: A section of the post on commonly used OpenNIC IPs has been removed to avoid any implication that the OpenNIC IPs are inherently malicious, which is not the case. Introduction Cyber criminals have always been attracted to cryptocurrencies because it provides a certain level o...
Solving Ad-hoc Problems with Hex-Rays API
Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...
Solving Ad-hoc Problems with Hex-Rays API
Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled a...
Fake Software Update Abuses NetSupport Remote Access Tool
Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...
Fake Software Update Abuses NetSupport Remote Access Tool
Over the last few months, FireEye has tracked an in-the-wild campaign that leverages compromised sites to spread fake updates. In some cases, the payload was the NetSupport Manager remote access tool RAT. NetSupport Manager is a commercially available RAT that can be used legitimately by system...
M-Trends 2018
What have incident responders observed and learned from cyber attacks in 2017? Just as in prior years, we have continued to see the cyber security threat landscape evolve. Over the past twelve months we have observed a number of new trends and changes to attacks, but we have also seen how certain...
SANNY Malware Delivery Method Updated in Recently Observed Attacks
Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...
SANNY Malware Delivery Method Updated in Recently Observed Attacks
Introduction In the third week of March 2018, through FireEye’s Dynamic Threat Intelligence, FireEye discovered malicious macro-based Microsoft Word documents distributing SANNY malware to multiple governments worldwide. Each malicious document lure was crafted in regard to relevant regional...
DOSfuscation: Exploring the Depths of Cmd.exe Obfuscation and Detection Techniques
Skilled attackers continually seek out new attack vectors, while employing evasion techniques to maintain the effectiveness of old vectors, in an ever-changing defensive landscape. Many of these threat actors employ obfuscation frameworks for common scripting languages such as JavaScript and...