Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2017/08/22 10:0 a.m.234 views

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...

9.3CVSS9AI score0.94996EPSS
Exploits50
FireEye
FireEye
added 2017/08/22 10:0 a.m.334 views

Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit

Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...

9.3CVSS9AI score0.94996EPSS
Exploits50
FireEye
FireEye
added 2017/08/11 9:0 a.m.23 views

APT28 Targets Hospitality Sector, Presents Threat to Travelers

FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several...

7.5AI score
Exploits0
FireEye
FireEye
added 2017/08/11 9:0 a.m.22 views

APT28 Targets Hospitality Sector, Presents Threat to Travelers

FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several...

0.3AI score
Exploits0
FireEye
FireEye
added 2017/07/27 8:0 p.m.29 views

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

1.2AI score
Exploits0
FireEye
FireEye
added 2017/07/27 8:0 p.m.24 views

Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science

Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/07/26 12:31 p.m.92 views

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine VM to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequentl...

7.1AI score
Exploits0
FireEye
FireEye
added 2017/07/26 12:31 p.m.81 views

FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

UPDATE 2 Nov. 14, 2018: FLARE VM now has a new installation, upgrade, and uninstallation process, and also includes many new tools such as IDA 7.0, radare and YARA. UPDATE April 26, 2018: The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/07/25 5:0 p.m.73 views

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2017/07/25 1:0 p.m.53 views

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/07/25 1:0 p.m.17 views

HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign

A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/07/05 3:0 p.m.16 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

6.6AI score
Exploits0References3
FireEye
FireEye
added 2017/07/05 11:0 a.m.32 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/07/05 11:0 a.m.37 views

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/06/30 7:0 p.m.20 views

Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques

Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...

0.7AI score
Exploits0
FireEye
FireEye
added 2017/06/30 7:0 p.m.25 views

Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques

Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/06/29 12:30 p.m.79 views

Back That App Up: Gaining Root on the Lenovo Vibe

In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...

7.2CVSS0.00165EPSS
Exploits0
FireEye
FireEye
added 2017/06/29 12:30 p.m.93 views

Back That App Up: Gaining Root on the Lenovo Vibe

In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...

7.2CVSS7.9AI score0.00165EPSS
Exploits0
FireEye
FireEye
added 2017/06/27 5:30 p.m.717 views

Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit

UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...

9.3CVSS8AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/06/27 5:30 p.m.1464 views

Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit

UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...

9.3CVSS7.9AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/06/21 12:0 p.m.19 views

Remote Symbol Resolution

Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...

7.2AI score
Exploits0References2
FireEye
FireEye
added 2017/06/21 8:0 a.m.10 views

Remote Symbol Resolution

Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/06/21 8:0 a.m.10 views

Remote Symbol Resolution

Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...

6.9AI score
Exploits0
FireEye
FireEye
added 2017/06/16 8:0 a.m.24 views

FIN10: Anatomy of a Cyber Extortion Operation

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...

3.3AI score
Exploits0
FireEye
FireEye
added 2017/06/16 8:0 a.m.20 views

FIN10: Anatomy of a Cyber Extortion Operation

FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...

6.9AI score
Exploits0
FireEye
FireEye
added 2017/06/12 11:0 a.m.29 views

Behind the CARBANAK Backdoor

In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/06/12 11:0 a.m.27 views

Behind the CARBANAK Backdoor

In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...

0.3AI score
Exploits0
FireEye
FireEye
added 2017/06/06 6:30 p.m.237 views

Privileges and Credentials: Phished at the Request of Counsel

Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three...

9.3CVSS6.8AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/06/06 6:30 p.m.1248 views

Privileges and Credentials: Phished at the Request of Counsel

Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three...

9.3CVSS6.8AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/06/02 1:0 p.m.46 views

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...

9.3CVSS9.7AI score0.94996EPSS
Exploits39References6
FireEye
FireEye
added 2017/06/02 9:0 a.m.117 views

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...

9.3CVSS9.7AI score0.94996EPSS
Exploits39
FireEye
FireEye
added 2017/06/02 9:0 a.m.150 views

Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads

The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...

9.3CVSS1.3AI score0.94996EPSS
Exploits39
FireEye
FireEye
added 2017/05/26 11:0 a.m.46 views

SMB Exploited: WannaCry Use of "EternalBlue"

Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/05/26 11:0 a.m.30 views

SMB Exploited: WannaCry Use of EternalBlue

Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/05/23 1:30 p.m.49 views

WannaCry Malware Profile

WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...

Exploits0
FireEye
FireEye
added 2017/05/23 1:30 p.m.33 views

WannaCry Malware Profile

WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...

7.6AI score
Exploits0
FireEye
FireEye
added 2017/05/14 6:0 p.m.370 views

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...

7.2CVSS8.4AI score0.80968EPSS
Exploits24
FireEye
FireEye
added 2017/05/14 6:0 p.m.391 views

Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations

Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...

7.2CVSS8.2AI score0.80968EPSS
Exploits24
FireEye
FireEye
added 2017/05/09 1:0 p.m.750 views

EPS Processing Zero-Days Exploited by Multiple Threat Actors

In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...

9.3CVSS8.5AI score0.99933EPSS
Exploits57
FireEye
FireEye
added 2017/05/09 1:0 p.m.961 views

EPS Processing Zero-Days Exploited by Multiple Threat Actors

In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...

9.3CVSS8.7AI score0.99933EPSS
Exploits57
FireEye
FireEye
added 2017/05/04 4:30 p.m.14 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

7.3AI score
Exploits0References2
FireEye
FireEye
added 2017/05/04 12:30 p.m.42 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

0.4AI score
Exploits0
FireEye
FireEye
added 2017/05/04 12:30 p.m.57 views

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/05/03 4:30 p.m.10 views

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations. A...

0.4AI score
Exploits0
FireEye
FireEye
added 2017/05/03 4:30 p.m.20 views

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations. A...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/04/26 8:0 a.m.18 views

Evolving Analytics for Execution Trace Data

Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...

0.6AI score
Exploits0
FireEye
FireEye
added 2017/04/26 8:0 a.m.27 views

Evolving Analytics for Execution Trace Data

Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...

7AI score
Exploits0
FireEye
FireEye
added 2017/04/24 10:30 a.m.40 views

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/04/24 10:30 a.m.21 views

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...

6.9AI score
Exploits0
FireEye
FireEye
added 2017/04/17 12:30 p.m.16 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

6.8AI score
Exploits0References1
Total number of security vulnerabilities545