545 matches found
Red Team Tool Roundup
In many cases Red Team tools are not written because someone feels like writing a tool, or wakes up one morning thinking, “I want to write a tool today”. Red Teamers generally identify tedious tasks in their methodology and then create tools that automate these tasks for current and future...
Amazon Same Day Credential Shipping
FireEye has identified a campaign involving phishing websites that appear as legitimate Amazon sites. Amazon is the largest online retailer and threat actors frequently target its customers. In this attack, a person browsing the internet would be directed to authentic looking – yet fake – Amazon...
Amazon Same Day Credential Shipping
FireEye has identified a campaign involving phishing websites that appear as legitimate Amazon sites. Amazon is the largest online retailer and threat actors frequently target its customers. In this attack, a person browsing the internet would be directed to authentic looking – yet fake – Amazon...
Amazon Same Day Credential Shipping
FireEye has identified a campaign involving phishing websites that appear as legitimate Amazon sites. Amazon is the largest online retailer and threat actors frequently target its customers. In this attack, a person browsing the internet would be directed to authentic looking – yet fake – Amazon...
Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection
Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...
Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection
Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...
Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection
Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on...
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release
A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit EK quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in...
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release
A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit EK quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in...
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release
A security researcher recently published source code for a working exploit for CVE-2016-0189 and the Neutrino Exploit Kit EK quickly adopted it. CVE-2016-0189 was originally exploited as a zero-day vulnerability in targeted attacks in Asia. The vulnerability resides within scripting engines in...
The Latest Android Overlay Malware Spreading via SMS Phishing in Europe
Introduction In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark February 2016, in Italy February 2016, and in both Denmark and Italy April 2016...
The Latest Android Overlay Malware Spreading via SMS Phishing in Europe
Introduction In April 2016, while investigating a Smishing campaign dubbed RuMMS that involved the targeting of Android users in Russia, we also noticed three similar Smishing campaigns reportedly spreading in Denmark February 2016, in Italy February 2016, and in both Denmark and Italy April 2016...
Locky is Back Asking for Unpaid Debts
On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...
Locky is Back Asking for Unpaid Debts
On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...
Locky is Back Asking for Unpaid Debts
On June 21, 2016, FireEye’s Dynamic Threat Intelligence DTI identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1,...
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)
Introduction and Motivation Have you ever run strings.exe on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise IOCs? Great! No need to run further analysis or hire expensive experts to determine if a file is malicious...
Red Line Drawn: China Recalculates Its Use of Cyber Espionage
On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese...
Red Line Drawn: China Recalculates Its Use of Cyber Espionage
On Sept. 25, 2015, President Barack Obama and Chinese President Xi Jinping agreed that neither government would “conduct or knowingly support cyber-enabled theft of intellectual property” for an economic advantage. Some observers hailed the agreement as a game changer for U.S. and Chinese...
Resurrection of the Evil Miner
At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...
Resurrection of the Evil Miner
At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...
Resurrection of the Evil Miner
At FireEye Labs, we recently detected the resurgence of a coin mining campaign with a novel and unconventional infection vector in the form of an iFRAME inline frame – an HTML document embedded inside another HTML document on a web page that allows users to get content from another separate sourc...
EMEA Organizations Must Rise to the Challenge of Stopping Advanced Threats
Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of cyber attacks involving advanced threat actors. As part of its many global investigations in 2015, Mandiant responded to several breaches in Europe, Middle East and Africa EMEA. Throughout the year we...
EMEA Organizations Must Rise to the Challenge of Stopping Advanced Threats
Since 2010, Mandiant, a FireEye company, has presented trends, statistics and case studies of cyber attacks involving advanced threat actors. As part of its many global investigations in 2015, Mandiant responded to several breaches in Europe, Middle East and Africa EMEA. Throughout the year we...
Pwned by Vpon
Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...
Pwned by Vpon
Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...
Pwned by Vpon
Vpon is one of many mobile ad SDKs marketed towards mainland Chinese and Taiwanese developers and app users. Recently, FireEye mobile security researchers identified a branch of Vpon ad SDK on iOS containing code that allows a malicious actor be it the app developer or the SDK creator to remotely...
Connected Cars: The Open Road for Hackers
As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware...
Connected Cars: The Open Road for Hackers
As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
Rotten Apples: Apple-like Malicious Phishing Domains
At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in...
Angler Exploit Kit Evading EMET
We recently encountered some exploits from Angler Exploit Kit EK that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit EMET. This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex...
Angler Exploit Kit Evading EMET
We recently encountered some exploits from Angler Exploit Kit EK that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit EMET. This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex...
Angler Exploit Kit Evading EMET
We recently encountered some exploits from Angler Exploit Kit EK that are completely evading Microsoft’s Enhanced Mitigation Experience Toolkit EMET. This is something we are seeing for the first time in the wild, and we only observed it affecting systems running Windows 7. Angler EK uses complex...
APT Group Sends Spear Phishing Emails to Indian Government Officials
Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...
APT Group Sends Spear Phishing Emails to Indian Government Officials
Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several years and conducting suspected intelligence collection operations against South Asian political and...
IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE...
IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE...
IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering FLARE team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE...
Targeted Attacks against Banks in the Middle East
Introduction In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our...
Targeted Attacks against Banks in the Middle East
UPDATE Dec. 8, 2017: We now attribute this campaign to APT34, a suspected Iranian cyber espionage threat group that we believe has been active since at least 2014. Learn more about APT34 and their late 2017 targeting of a government organization in the Middle East. Introduction In the first week ...
How RTF malware evades static signature-based detection
History Rich Text Format RTF is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities...
How RTF malware evades static signature-based detection
History Rich Text Format RTF is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities...
Ransomware Activity Spikes in March, Steadily increasing throughout 2016
UPDATE June 15, 2016: This post has been updated to include new data on ransomware activity, which is also now broken down by region. Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at lengt...
Ransomware Activity Spikes in March, Steadily increasing throughout 2016
UPDATE June 15, 2016: This post has been updated to include new data on ransomware activity, which is also now broken down by region. Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at lengt...
CVE-2016-4117: Flash Zero-Day Exploited in the Wild
On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-4117 and reported the issue to the Adobe Product Security Incident Response Team PSIRT. Adobe released a patch for the vulnerability in APSB16-15 just four days later. Attackers...
CVE-2016-4117: Flash Zero-Day Exploited in the Wild
On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-4117 and reported the issue to the Adobe Product Security Incident Response Team PSIRT. Adobe released a patch for the vulnerability in APSB16-15 just four days later. Attackers...
CVE-2016-4117: Flash Zero-Day Exploited in the Wild
On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player CVE-2016-4117 and reported the issue to the Adobe Product Security Incident Response Team PSIRT. Adobe released a patch for the vulnerability in APSB16-15 just four days later. Attackers...
Cerber Ransomware Partners with the Dridex Spam Distributor
Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of February 2016 and was observed being delivered mostly via exploit kits EK, notably using Magnitude...