Clik here to view.
Hancitor (AKA Chanitor) observed using multiple attack approaches
Many threat actors use multiple attack vectors to ensure success. The individuals using Hancitor malware (also known by the name Chanitor) are no exception and have taken three approaches to deliver...
View ArticleVendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal...
FireEye iSIGHT Intelligence has been tracking a pair of cybercriminals that we refer to as the “Vendetta Brothers.” This enterprising duo uses various strategies to compromise point-of-sale systems,...
View ArticleClik here to view.
Increased Use of WMI for Environment Detection and Evasion
Introduction Throughout the past few months, FireEye Labs has observed an increased use of Windows Management Instrumentation (WMI) queries for environment detection and evasion of dynamic analysis...
View ArticleClik here to view.
Operations of a Brazilian Payment Card Fraud Group
Introduction Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent...
View ArticleClik here to view.
Rotten Apples: Resurgence
In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing...
View ArticleClik here to view.
2016 Flare-On Challenge Solutions
I would like to thank the challenge authors this year: Alexander Rich Matt Williams (@0xmwilliams) Dominik Weber James T. Bennett (@jtbennettjr) Tyler Dean Josh Homan Alex Berry Nick Harbour...
View ArticleClik here to view.
Extending Linux Executable Logging With The Integrity Measurement Architecture
Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution...
View ArticleClik here to view.
FireEye Cyber Defense Summit 2016: The Incident Response Track – Technical...
2016 has been a year of significant change to the cyber security landscape. The rapid proliferation of ransomware and the emergence of Internet of Things mass compromise has changed the landscape for...
View ArticleClik here to view.
‘One-Stop Shop’– Phishing Domain Targets Information from Customers of...
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently,...
View ArticleFireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region
In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first...
View ArticleClik here to view.
Do You See What I CCM?
SCCM Software Metering Reviewing forensic keyword searches can be confusing because it is often difficult for an analyst to determine the source of the various structures that contain string matches....
View ArticleClik here to view.
FLARE Script Series: Querying Dynamic State using the FireEye Labs...
Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for...
View ArticleClik here to view.
Credit Card Data and Other Information Targeted in Netflix Phishing Campaign
Introduction Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix...
View ArticleAPT28: At the Center of the Storm
On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist...
View ArticleClik here to view.
Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document...
View ArticleClik here to view.
AntiVirus Evasion Reconstructed – Veil 3.0
The Veil Framework is a collection of tools designed for use during offensive security testing. When the time calls for it, Mandiant’s Red Team will use the Veil-Framework to help achieve their...
View ArticleClik here to view.
FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appears to be targeting personnel involved with United States Securities and Exchange Commission (SEC)...
View ArticleClik here to view.
Using the Registry to Discover Unix Systems and Jump Boxes
On red team engagements, Mandiant consultants are often tasked with identifying and obtaining access to critical Unix systems within our client’s environments. The objectives may include obtaining...
View ArticleClik here to view.
Still Getting Served: A Look at Recent Malvertising Campaigns Involving...
Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website. Malvertisements are a type of “drive-by” threat that tend to result in...
View ArticleClik here to view.
WMImplant – A WMI Based Agentless Post-Exploitation RAT Developed in PowerShell
Just over one year ago (November 2015), I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation (WMI) on the local machine or a...
View Article