Petya Ransomware Spreading Via EternalBlue Exploit
On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to Petya ransomware. Based on initial information, this variant of the Petya ransomware...
View ArticleClik here to view.
Back That App Up: Gaining Root on the Lenovo Vibe
In May of 2016, Mandiant’s Red Team discovered a series of vulnerabilities present on Lenovo’s Vibe P1 Android-based mobile device that allow local privilege escalation to the user “root”. Mandiant...
View ArticleClik here to view.
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to...
View ArticleClik here to view.
Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic...
Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using...
View ArticleClik here to view.
HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign
A wide variety of threat actors began distributing HawkEye malware through high-volume email campaigns after it became available for purchase via a public-facing website. The actors behind the phishing...
View ArticleClik here to view.
FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!
As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my...
View ArticleRevoke-Obfuscation: PowerShell Obfuscation Detection Using Science
Many attackers continue to leverage PowerShell as a part of their malware ecosystem, mostly delivered and executed by malicious binaries and documents. Of malware that uses PowerShell, the most...
View ArticleClik here to view.
APT28 Targets Hospitality Sector, Presents Threat to Travelers
FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to...
View ArticleClik here to view.
Hiking Club Malvertisements Drop Monero Miners Via Neptune Exploit Kit
Exploit kit (EK) activity has been on the decline ever since Angler Exploit Kit was shut down in 2016. Fewer people using Internet Explorer and a drop in browser support for Adobe Flash – two primary...
View ArticleClik here to view.
Announcing the Fourth Annual Flare-On Challenge
The fourth annual Flare-On Challenge – the FireEye Labs Advanced Reverse Engineering (FLARE) team’s yearly reverse engineering contest – is scheduled to kick off on Sept. 1, 2017, at 8pm ET. This is a...
View ArticleClik here to view.
Monitoring Windows Console Activity (Part 1)
Introduction While performing incident response, Mandiant encounters attackers actively using systems on a compromised network. This activity often includes using interactive console programs via RDP...
View ArticleClik here to view.
Monitoring Windows Console Activity (Part 2)
This is the second of two blogs that discuss the implementation of the Windows console architecture from years past, with a primary focus on the current implementation present on modern versions of...
View ArticleWhy Is North Korea So Interested in Bitcoin?
In 2016 we began observing actors we believe to be North Korean utilizing their intrusion capabilities to conduct cyber crime, targeting banks and the global financial system. This marked a departure...
View ArticleClik here to view.
FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY
FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject...
View ArticlerVMI: Perform Full System Analysis with Ease
Manual dynamic analysis is an important concept. It enables us to observe the behavior of a sophisticated malware sample or exploit by executing it in a controlled environment. The information gathered...
View ArticleClik here to view.
Introducing pywintrace: A Python Wrapper for ETW
Introduction Event tracing for Windows (ETW) is a lightweight logging facility first introduced with Windows 2000. Originally intended as a software diagnostic, troubleshooting and performance...
View ArticleClik here to view.
Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy...
When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target...
View ArticleNorth Korean Actors Spear Phish U.S. Electric Companies
We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean...
View Article