Clik here to view.
FLARE Script Series: Automating Obfuscated String Decoding
Introduction We are expanding our script series beyond IDA Pro. This post extends the FireEye Labs Advanced Reverse Engineering (FLARE) script series to an invaluable tool for the reverse engineer –...
View ArticleClik here to view.
End of Life for Internet Explorer 8, 9 and 10
Microsoft has started the year with an announcement that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The...
View ArticleThe Dangers of Downloads: Securing Mobile Devices in 2016
In 2015, mobile malware attacks were on the rise; from 2014 to 2015 we saw an increase of 61% in the number of these attacks. Malware has a clear progression path; it starts out targeting unsuspecting...
View ArticleClik here to view.
SlemBunk Part II: Prolonged Attack Chain and Better-Organized Campaign
Introduction Our follow-up investigation of a nasty Android banking malware we identified at the tail end of last year has not only revealed that the trojan is more persistent than we initially...
View ArticleClik here to view.
URLZone Zones in on Japan
Recently we’ve seen an interesting trend from several crimeware families that were mainly active in the European region, and have now expanded their activity to Japan. Rovnix is one such family, as...
View ArticleClik here to view.
Hot or Not? The Benefits and Risks of iOS Remote Hot Patching
Introduction Apple has made a significant effort to build and maintain a healthy and clean app ecosystem. The essential contributing component to this status quo is the App Store, which is protected...
View ArticleClik here to view.
CenterPOS: An Evolving POS Threat
Introduction There has been no shortage of point-of-sale (POS) threats in the past couple of years. This type of malicious software has gained widespread notoriety in recent time due to its use in...
View ArticleClik here to view.
Dridex Botnet Resumes Spam Operations After the Holidays
FireEye Labs observed that Dridex operators were active during the holiday season. However, during the post-Christmas and New Year weeks, we observed a slowdown in their spam campaigns. Interestingly,...
View ArticleClik here to view.
FLARE Script Series: flare-dbg Plug-ins
Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. In this post, we continue to discuss the flare-dbg project. If you haven’t read my first post on...
View ArticleClik here to view.
Greater Visibility Through PowerShell Logging
Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout all phases of the attack. A common issue we experience is a lack of available logging that adequately...
View ArticleClik here to view.
Maimed Ramnit Still Lurking in the Shadow
Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on the newspaper delivery boy to reading breaking...
View ArticleClik here to view.
Using EMET to Disable EMET
Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a project that adds security mitigations to user mode programs beyond those built in to the operating system. It runs inside “protected”...
View ArticleClik here to view.
Relational Learning Tutorial
At FireEye, we apply machine learning techniques to a variety of security problems. Malware detection and categorization is a great use of the technology, and we believe that it can also play a role in...
View ArticleLessons from Operation RussianDoll
As defensive security controls raise the bar to attack, attackers will employ increasingly sophisticated techniques to complete their mission. Understanding the mechanics and impact of these threats is...
View ArticleClik here to view.
A Growing Number of Android Malware Families Believed to Have a Common...
Introduction On Feb. 19, IBM XForce researchers released an intelligence report [1] stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated...
View ArticleClik here to view.
GongDa vs. Korean News
On Jan. 27, we observed visitors to a Korean news site being redirected to the GongDa Exploit Kit (EK), potentially exposing them to malware infection. We will be referring to this site as KNS. GongDa...
View ArticleClik here to view.
Stop Scanning My Macro
FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid...
View ArticleClik here to view.
Wiping Out a Malicious Campaign Abusing Chinese Ad Platform
At FireEye Labs, we have discovered another well-crafted malvertising campaign that uses the ad API of one of the world’s largest search engines: China-based Baidu. The attacker employs a simple HTML...
View ArticleClik here to view.
99 Problems but Two-Factor Ain’t One
Two-factor authentication is a best practice for securing remote access, but it is also a Holy Grail for a motivated red team. Hiding under the guise of a legitimate user authenticated through multiple...
View ArticleClik here to view.
Surge in Spam Campaign Delivering Locky Ransomware Downloaders
FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries...
View Article