545 matches found
Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit
Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...
Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit
Exploit kit EK activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary targets of many exploit kits – have also contributed to this decline. Additionally, some popular...
APT28 Targets Hospitality Sector, Presents Threat to Travelers
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several...
APT28 Targets Hospitality Sector, Presents Threat to Travelers
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several...
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...
Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science
Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most prevalent use is the garden-variety stager: an executable or document macro that launches PowerShell to...
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine VM to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequentl...
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
UPDATE 2 Nov. 14, 2018: FLARE VM now has a new installation, upgrade, and uninstallation process, and also includes many new tools such as IDA 7.0, radare and YARA. UPDATE April 26, 2018: The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing campaigns typically used email themes based on current events and media reports that would piqu...
Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...
Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...
Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware...
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...
Back That App Up: Gaining Root on the Lenovo Vibe
In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...
Back That App Up: Gaining Root on the Lenovo Vibe
In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant disclosed these vulnerabilities to Lenovo in May of 2016. Lenovo advised Mandiant that it should wo...
Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit
UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...
Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit
UPDATE July 21: FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are...
Remote Symbol Resolution
Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...
Remote Symbol Resolution
Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...
Remote Symbol Resolution
Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After...
FIN10: Anatomy of a Cyber Extortion Operation
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...
FIN10: Anatomy of a Cyber Extortion Operation
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor we have dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into payin...
Behind the CARBANAK Backdoor
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...
Behind the CARBANAK Backdoor
In this blog, we will take a closer look at the powerful, versatile backdoor known as CARBANAK aka Anunak. Specifically, we will focus on the operational details of its use over the past few years, including its configuration, the minor variations observed from sample to sample, and its evolution...
Privileges and Credentials: Phished at the Request of Counsel
Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three...
Privileges and Credentials: Phished at the Request of Counsel
Summary In May and June 2017, FireEye observed a phishing campaign targeting at least seven global law and investment firms. We have associated this campaign with APT19, a group that we assess is composed of freelancers, with some degree of sponsorship by the Chinese government. APT19 used three...
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
The “EternalBlue” exploit MS017-010 was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block SMB protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic...
SMB Exploited: WannaCry Use of "EternalBlue"
Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...
SMB Exploited: WannaCry Use of EternalBlue
Server Message Block SMB is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named...
WannaCry Malware Profile
WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...
WannaCry Malware Profile
WannaCry also known as WCry or WanaCryptor malware is a self-propagating worm-like ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block SMB protocol, MS17-010. The WannaCry malware consists of two distinct...
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...
Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations
Cyber espionage actors, now designated by FireEye as APT32 OceanLotus Group, are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of...
EPS Processing Zero-Days Exploited by Multiple Threat Actors
In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...
EPS Processing Zero-Days Exploited by Multiple Threat Actors
In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript EPS of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
Dridex and Locky Return Via PDF Attachments in Latest Campaigns
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...
To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence
In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations. A...
To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence
In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations. A...
Evolving Analytics for Execution Trace Data
Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...
Evolving Analytics for Execution Trace Data
Five years ago, Mandiant released a proof of concept tool named ShimCacheParser, along with a blog post titled “Leveraging the Application Compatibility Cache in Forensic Investigations”. Since then, ShimCache metadata has become increasingly popular as a source of forensic evidence, both for...
FIN7 Evolution and the Phishing LNK
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...
FIN7 Evolution and the Phishing LNK
FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishin...
Writing a libemu/Unicorn Compatability Layer
In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...