Clik here to view.
Rollout or Not: the Benefits and Risks of iOS Remote Hot Patching
Previously On iOS Remote Hot Patching Apple’s detailed app review process has resulted in greater security for iOS apps made available through the App Store. However, this review process can be...
View ArticleClik here to view.
CVE-2016-1019: A New Flash Exploit Included in Magnitude Exploit Kit
On April 2, security researcher @Kafeine at Proofpoint discovered a change to the Magnitude Exploit Kit. Thanks to their collaboration, we analyzed the sample and discovered that Magnitude EK was...
View ArticleClik here to view.
MULTIGRAIN – Point of Sale Attackers Make an Unhealthy Addition to the Pantry
FireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code...
View ArticleFollow The Money: Dissecting the Operations of the Cyber Crime Group FIN6
Cybercrime operations can be intricate and elaborate, with careful planning needed to navigate the various obstacles separating an attacker from a payout. Yet reports on these operations are often...
View ArticleClik here to view.
New Downloader for Locky
Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may...
View ArticleClik here to view.
PowerShell used for spreading Trojan.Laziok through Google Docs
Introduction Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the...
View ArticleClik here to view.
RuMMS: The Latest Family of Android Malware Attacking Users in Russia Via SMS...
Introduction Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under...
View ArticleClik here to view.
Deobfuscating Python Bytecode
Introduction During an investigation, the FLARE team came across an interesting Python malware sample (MD5: 61a9f80612d3f7566db5bdf37bbf22cf ) that is packaged using py2exe. Py2exe is a popular way to...
View ArticleClik here to view.
Deobfuscating Python Bytecode
Introduction During an investigation, the FLARE team came across an interesting Python malware sample (MD5: 61a9f80612d3f7566db5bdf37bbf22cf ) that is packaged using py2exe. Py2exe is a popular way to...
View ArticleClik here to view.
Exploiting CVE-2016-2060 on Qualcomm Devices
Mandiant’s Red Team recently discovered a widespread vulnerability affecting Android devices that permits local privilege escalation to the built-in user “radio”, making it so an attacker can...
View ArticleClik here to view.
Locky Gets Clever!
As discussed in an earlier FireEye blog, we have seen Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam...
View ArticleClik here to view.
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained...
View ArticleClik here to view.
Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained...
View ArticleClik here to view.
Cerber Ransomware Partners with the Dridex Spam Distributor
Cerber ransomware incorporates the unusual feature of “speaking” its ransom message after successfully infecting a user machine and encrypting files. Cerber was first seen in the wild at the end of...
View ArticleClik here to view.
CVE-2016-4117: Flash Zero-Day Exploited in the Wild
On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response...
View ArticleClik here to view.
Ransomware Activity Spikes in March, Steadily increasing throughout 2016
Cyber extortion for financial gain is typically carried out in one of two ways. The first method is a business disruption attack – a category we discussed at length in M-Trends 2016. In this type of...
View ArticleClik here to view.
How RTF malware evades static signature-based detection
History Rich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore...
View ArticleClik here to view.
Targeted Attacks against Banks in the Middle East
Introduction In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear...
View ArticleClik here to view.
IRONGATE ICS Malware: Nothing to See Here…Masking Malicious Activity on SCADA...
In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running...
View ArticleClik here to view.
APT Group Sends Spear Phishing Emails to Indian Government Officials
Introduction On May 18, 2016, FireEye Labs observed a suspected Pakistan-based APT group sending spear phishing emails to Indian government officials. This threat actor has been active for several...
View Article