Lucene search
+L
FireeyeRecent

545 matches found

FireEye
FireEye
added 2017/04/17 8:30 a.m.14 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

0.1AI score
Exploits0
FireEye
FireEye
added 2017/04/17 8:30 a.m.24 views

Writing a libemu/Unicorn Compatability Layer

In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/04/12 3:0 p.m.181 views

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

9.3CVSS8.2AI score0.99933EPSS
Exploits29References3
FireEye
FireEye
added 2017/04/12 11:0 a.m.862 views

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

9.3CVSS8.3AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/04/12 11:0 a.m.1040 views

CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the...

9.3CVSS8.2AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/04/12 8:0 a.m.13 views

What About the Plant Floor? Six Subversive Concerns for ICS Environments

Industrial enterprises such as electric utilities, petroleum companies, and manufacturing organizations invest heavily in industrial control systems ICS to efficiently, reliably, and safely operate industrial processes. Without this technology operating the plant floor, these businesses cannot...

0.9AI score
Exploits0
FireEye
FireEye
added 2017/04/12 8:0 a.m.12 views

What About the Plant Floor? Six Subversive Concerns for ICS Environments

Industrial enterprises such as electric utilities, petroleum companies, and manufacturing organizations invest heavily in industrial control systems ICS to efficiently, reliably, and safely operate industrial processes. Without this technology operating the plant floor, these businesses cannot...

7AI score
Exploits0
FireEye
FireEye
added 2017/04/11 1:30 p.m.3362 views

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

9.3CVSS8.4AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/04/11 1:30 p.m.685 views

CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler

FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing ...

9.3CVSS8.6AI score0.99933EPSS
Exploits29
FireEye
FireEye
added 2017/04/08 12:30 a.m.11 views

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office...

7AI score
Exploits0
FireEye
FireEye
added 2017/04/08 12:30 a.m.11 views

Acknowledgement of Attacks Leveraging Microsoft Zero-Day

FireEye recently detected malicious Microsoft Office RTF documents that leverage a previously undisclosed vulnerability. This vulnerability allows a malicious actor to execute a Visual Basic script when the user opens a document containing an embedded exploit. FireEye has observed several Office...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/04/06 3:0 p.m.31 views

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat

APT10 Background APT10 MenuPass Group is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/04/06 3:0 p.m.44 views

APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat

APT10 Background APT10 MenuPass Group is a Chinese cyber espionage group that FireEye has tracked since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan. We believe that the targeting of these...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/04/03 8:0 a.m.34 views

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/04/03 8:0 a.m.104 views

Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation WMI. In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary...

0.6AI score
Exploits0
FireEye
FireEye
added 2017/03/31 10:15 a.m.28 views

Introducing Monitor.app for macOS

As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware capabilities and undocumented components of the operating system. One obvious tool that comes to mind is Procmon from the...

0.2AI score
Exploits0
FireEye
FireEye
added 2017/03/31 10:15 a.m.16 views

Introducing Monitor.app for macOS

UPDATE 2 Oct. 24, 2018: Monitor.app now supports macOS 10.14. UPDATE April 4, 2018: Monitor.app now supports macOS 10.13. As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/03/31 12:0 a.m.11 views

Introducing Monitor.app for macOS

UPDATE 2 Oct. 24, 2018: Monitor.app now supports macOS 10.14. UPDATE April 4, 2018: Monitor.app now supports macOS 10.13. As a malware analyst or systems programmer, having a suite of solid dynamic analysis tools is vital to being quick and effective. These tools enable us to understand malware...

6.8AI score
Exploits0References3
FireEye
FireEye
added 2017/03/27 8:0 a.m.48 views

APT29 Domain Fronting With TOR

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques...

7.7AI score
Exploits0
FireEye
FireEye
added 2017/03/27 8:0 a.m.43 views

APT29 Domain Fronting With TOR

Mandiant has observed Russian nation-state attackers APT29 employing domain fronting techniques for stealthy backdoor access to victim environments for at least two years. There has been considerable discussion about domain fronting following the release of a paper detailing these techniques...

0.4AI score
Exploits0
FireEye
FireEye
added 2017/03/23 12:0 p.m.30 views

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

Exploits0
FireEye
FireEye
added 2017/03/23 12:0 p.m.89 views

WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell

Just over one year ago November 2015, I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation WMI on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power...

7.7AI score
Exploits0
FireEye
FireEye
added 2017/03/15 12:48 p.m.8 views

Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits

Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are...

6.6AI score
Exploits0References8
FireEye
FireEye
added 2017/03/15 8:48 a.m.52 views

Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits

Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/03/15 8:48 a.m.18 views

Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits

Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/03/14 8:0 a.m.40 views

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional the Americas, APAC and EMEA analysis focused on attack trends, and defensive and...

7.2AI score
Exploits0
FireEye
FireEye
added 2017/03/14 8:0 a.m.20 views

M-Trends 2017: A View From the Front Lines

Every year Mandiant responds to a large number of cyber attacks, and 2016 was no exception. For our M-Trends 2017 report, we took a look at the incidents we investigated last year and provided a global and regional the Americas, APAC and EMEA analysis focused on attack trends, and defensive and...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/03/09 8:0 a.m.16 views

Using the Registry to Discover Unix Systems and Jump Boxes

On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining payment card data on point of sale terminals or accessing intellectual property residing on Apple...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/03/09 8:0 a.m.15 views

Using the Registry to Discover Unix Systems and Jump Boxes

On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining payment card data on point of sale terminals or accessing intellectual property residing on Apple...

6.7AI score
Exploits0
FireEye
FireEye
added 2017/03/08 12:15 p.m.28 views

Introduction to Reverse Engineering Cocoa Applications

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...

0.6AI score
Exploits0
FireEye
FireEye
added 2017/03/08 12:15 p.m.27 views

Introduction to Reverse Engineering Cocoa Applications

While not as common as Windows malware, there has been a steady stream of malware discovered over the years that runs on the OS X operating system, now rebranded as macOS. February saw three particularly interesting publications on the topic of macOS malware: a Trojan Cocoa application that sends...

7.1AI score
Exploits0
FireEye
FireEye
added 2017/03/07 9:0 a.m.29 views

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service FaaS identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of...

0.4AI score
Exploits0
FireEye
FireEye
added 2017/03/07 9:0 a.m.14 views

FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings

In late February 2017, FireEye as a Service FaaS identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission SEC filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of...

7AI score
Exploits0
FireEye
FireEye
added 2017/03/03 8:0 a.m.19 views

AntiVirus Evasion Reconstructed – Veil 3.0

The Veil Framework is a collection of tools designed for use during offensive security testing. When the time calls for it, Mandiant’s Red Team will use the Veil-Framework to help achieve their objective. The most commonly used tool is Veil-Evasion, which can turn an arbitrary script or piece of...

7.3AI score
Exploits0
FireEye
FireEye
added 2017/03/03 8:0 a.m.15 views

AntiVirus Evasion Reconstructed – Veil 3.0

The Veil Framework is a collection of tools designed for use during offensive security testing. When the time calls for it, Mandiant’s Red Team will use the Veil-Framework to help achieve their objective. The most commonly used tool is Veil-Evasion, which can turn an arbitrary script or piece of...

7.1AI score
Exploits0
FireEye
FireEye
added 2017/02/22 2:45 p.m.12 views

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...

8.1AI score
Exploits0References2
FireEye
FireEye
added 2017/02/22 9:45 a.m.34 views

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...

0.8AI score
Exploits0
FireEye
FireEye
added 2017/02/22 9:45 a.m.18 views

Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government

Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool RAT that has been used for...

8.1AI score
Exploits0
FireEye
FireEye
added 2017/01/11 8:45 p.m.35 views

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America

Introduction Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had...

Exploits0
FireEye
FireEye
added 2017/01/11 8:45 p.m.61 views

New Variant of Ploutus ATM Malware Observed in the Wild in Latin America

Introduction Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had...

7.4AI score
Exploits0
FireEye
FireEye
added 2017/01/11 11:0 a.m.39 views

APT28: At the Center of the Storm

On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist about Russian involvement. Did the Russian government direct the group responsible for the...

1.1AI score
Exploits0
FireEye
FireEye
added 2017/01/11 11:0 a.m.33 views

APT28: At the Center of the Storm

On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist about Russian involvement. Did the Russian government direct the group responsible for the...

6.8AI score
Exploits0
FireEye
FireEye
added 2017/01/09 4:0 p.m.19 views

Credit Card Data and Other Information Targeted in Netflix Phishing Campaign

Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...

6.6AI score
Exploits0References3
FireEye
FireEye
added 2017/01/09 11:0 a.m.48 views

Credit Card Data and Other Information Targeted in Netflix Phishing Campaign

Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...

6.9AI score
Exploits0
FireEye
FireEye
added 2017/01/09 11:0 a.m.32 views

Credit Card Data and Other Information Targeted in Netflix Phishing Campaign

Introduction Through FireEye’s Email Threat Prevention ETP solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion...

6.6AI score
Exploits0
FireEye
FireEye
added 2017/01/04 2:2 p.m.44 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.8AI score0.24554EPSS
Exploits10References4
FireEye
FireEye
added 2017/01/04 9:2 a.m.116 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.7AI score0.24554EPSS
Exploits10
FireEye
FireEye
added 2017/01/04 9:2 a.m.75 views

FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb)

Introduction This post continues the FireEye Labs Advanced Reverse Engineering FLARE script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on...

7.2CVSS7.8AI score0.24554EPSS
Exploits10
FireEye
FireEye
added 2016/12/15 1:0 p.m.21 views

Do You See What I CCM?

SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...

7.1AI score
Exploits0References4
FireEye
FireEye
added 2016/12/15 8:0 a.m.39 views

Do You See What I CCM?

SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches. One such structure belongs to Microsoft's System Center Configuration Manager's SCCM software...

0.3AI score
Exploits0
Total number of security vulnerabilities545