Article: New FakeNet-NG Feature: Content-Based Protocol Detection - published about 7 years ago. Content: I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with ... https://www.fireeye.com/blog/threat-research/2017/10/fakenet-content-based-protocol-detection.html Published: 2017 10 23 15:15:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Cmd and Conquer: De-DOSfuscation with flare-qdb - published about 6 years ago. Content: When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on the FLARE malware queue. Previously, I released fla... https://www.fireeye.com/blog/threat-research/2018/11/cmd-and-conquer-de-dosfuscation-with-flare-qdb.html Published: 2018 11 20 17:30:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Loading Kernel Shellcode - published over 6 years ago. Content: In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around packing or obfuscation and quickly identify the struct... https://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcode.html Published: 2018 04 23 15:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool - published over 7 years ago. Content: Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG’s rel... https://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-fakenet-ng.html Published: 2017 07 05 15:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: FLARE Script Series: Querying Dynamic State using the FireEye Labs Query-Oriented Debugger (flare-qdb) - published almost 8 years ago. Content: Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. Here, we introduce flare-qdb, a command-line utility and Python module based on vivisect for querying and altering dynamic binary state conveniently, iteratively, and at scale. flare-qdb works on Windows and Linux, and can be obtained from the flare... https://www.fireeye.com/blog/threat-research/2017/01/flare_script_series.html Published: 2017 01 04 14:02:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: 2015 FLARE-ON Challenge Solutions - published about 9 years ago. Content: The first few challenges narrowed the playing field drastically, with most serious contestants holding firm through challenges 4-9. The last two increased the difficulty level and proved a difficult final series of challenges for a well-earned finish line. The FLARE On Challenge always reaches a very wide international audience. Outside of the USA, ... https://www.fireeye.com/blog/threat-research/2015/09/flare-on_challenges.html Published: 2015 09 08 14:56:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: FLARE Script Series: flare-dbg Plug-ins - published almost 9 years ago. Content: Introduction This post continues the FireEye Labs Advanced Reverse Engineering (FLARE) script series. In this post, we continue to discuss the flare-dbg project. If you haven’t read my first post on using flare-dbg to automate string decoding, be sure to check it out! We created the flare-dbg Python project to support the creation of plug-ins ... https://www.fireeye.com/blog/threat-research/2016/02/flare_script_series.html Published: 2016 02 09 12:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Connecting the Dots: Syrian Malware Team Uses BlackWorm for Attacks - published about 10 years ago. Content: The Syrian Electronic Army has made news for its recent attacks on major communications websites, Forbes, and an alleged attack on CENTCOM. While these attacks garnered public attention, the activities of another group - The Syrian Malware Team - have gone largely unnoticed. The group’s activities prompted us to take a closer look. We discovere... https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html Published: 2014 08 29 08:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Two Limited, Targeted Attacks; Two New Zero-Days - published about 10 years ago. Content: The FireEye Labs team has identified two new zero-day vulnerabilities as part of limited, targeted attacks against some major corporations. Both zero-days exploit the Windows Kernel, with Microsoft assigning CVE-2014-4148 and CVE-2014-4113 to and addressing the vulnerabilities in their October 2014 Security Bulletin. FireEye Labs have identified... https://www.fireeye.com/blog/threat-research/2014/10/two-targeted-attacks-two-new-zero-days.html Published: 2014 10 14 14:46:54 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: iOS Masque Attack Revived: Bypassing Prompt for Trust and App URL Scheme Hijacking - published almost 10 years ago. Content: In November of last year, we uncovered a major flaw in iOS we dubbed “Masque Attack” that allowed for malicious apps to replace existing, legitimate ones on an iOS device via SMS, email, or web browsing. In total, we have notified Apple of five security issues related to four kinds of Masque Attacks. Today, we are sharing Masque Attack II in the ... https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html Published: 2015 02 19 19:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: NitlovePOS: Another New POS Malware - published over 9 years ago. Content: There has been a proliferation of malware specifically designed to extract payment card information from Point-of-Sale (POS) systems over the last two years. In 2015, there have already been a variety of new POS malware identified including a new Alina variant, FighterPOS and Punkey. During our research into a widespread spam campaign, we dis... https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html Published: 2015 05 23 18:05:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Three New Masque Attacks against iOS: Demolishing, Breaking and Hijacking - published over 9 years ago. Content: In the recent release of iOS 8.4, Apple fixed several vulnerabilities including vulnerabilities that allow attackers to deploy two new kinds of Masque Attack (CVE-2015-3722/3725, and CVE-2015-3725). We call these exploits Manifest Masque and Extension Masque, which can be used to demolish apps, including system apps (e.g., Apple Watch, Health, Pay ... https://www.fireeye.com/blog/threat-research/2015/06/three_new_masqueatt.html Published: 2015 06 30 14:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: XcodeGhost S: A New Breed Hits the US - published about 9 years ago. Content: Just over a month ago, iOS users were warned of the threat to their devices by the XcodeGhost malware. Apple quickly reacted, taking down infected apps from the App Store and releasing new security features to stop malicious activities. Through continuous monitoring of our customers’ networks, FireEye researchers have found that, despite the quick ... https://www.fireeye.com/blog/threat-research/2015/11/xcodeghost_s_a_new.html Published: 2015 11 03 12:27:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Hot or Not? The Benefits and Risks of iOS Remote Hot Patching - published almost 9 years ago. Content: Introduction Apple has made a significant effort to build and maintain a healthy and clean app ecosystem. The essential contributing component to this status quo is the App Store, which is protected by a thorough vetting process that scrutinizes all submitted applications. While the process is intended to protect iOS users and ensure apps meet Ap... https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html Published: 2016 01 27 13:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Locky is Back Asking for Unpaid Debts - published over 8 years ago. Content: On June 21, 2016, FireEye’s Dynamic Threat Intelligence (DTI) identified an increase in JavaScript contained within spam emails. FireEye analysts determined the increase was the result of a new Locky ransomware spam campaign. As shown in Figure 1, Locky spam activity was uninterrupted until June 1, 2016, when it stopped for nearly three weeks. Durin... https://www.fireeye.com/blog/threat-research/2016/06/locky-is-back-and-asking-for-unpaid-debts.html Published: 2016 06 24 17:30:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Rotten Apples: Apple-like Malicious Phishing Domains - published over 8 years ago. Content: At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains. This system observed some phishing domains registered in the first quarter of 2016 that were designed to appear as legitimate Apple domains. These phony Apple domains were involved in phishing attacks against Apple iCloud users in China an... https://www.fireeye.com/blog/threat-research/2016/06/rotten_apples_apple.html Published: 2016 06 07 12:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government - published over 7 years ago. Content: Introduction FireEye recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video ca... https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html Published: 2017 02 22 14:45:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners - published over 6 years ago. Content: Introduction Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on... https://www.fireeye.com/blog/threat-research/2018/07/cryptocurrencies-cyber-crime-growth-of-miners.html Published: 2018 07 18 14:00:00 Received: 2022 05 23 16:06:47 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests - published over 5 years ago. Content: In August 2018, FireEye Threat Intelligence released a report exposing what we assessed to be an Iranian influence operation leveraging networks of inauthentic news sites and social media accounts aimed at audiences around the world. We identified inauthentic social media accounts posing as everyday Americans that were used to promote content fro... https://www.fireeye.com/blog/threat-research/2019/05/social-media-network-impersonates-us-political-candidates-supports-iranian-interests.html Published: 2019 05 28 19:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Learning to Rank Strings Output for Speedier Malware Analysis - published over 5 years ago. Content: Reverse engineers, forensic investigators, and incident responders have an arsenal of tools at their disposal to dissect malicious software binaries. When performing malware analysis, they successively apply these tools in order to gradually gather clues about a binary’s function, design detection methods, and ascertain how to contain its damage. O... https://www.fireeye.com/blog/threat-research/2019/05/learning-to-rank-strings-output-for-speedier-malware-analysis.html Published: 2019 05 29 14:30:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Framing the Problem: Cyber Threats and Elections - published over 5 years ago. Content: This year, Canada, multiple European nations, and others will host high profile elections. The topic of cyber-enabled threats disrupting and targeting elections has become an increasing area of awareness for governments and citizens globally. To develop solutions and security programs to counter cyber threats to elections, it is important to begin ... https://www.fireeye.com/blog/threat-research/2019/05/framing-the-problem-cyber-threats-and-elections.html Published: 2019 05 30 15:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: FLASHMINGO: The FireEye Open Source Automatic Analysis Tool for Flash - published over 5 years ago. Content: Adobe Flash is one of the most exploited software components of the last decade. Its complexity and ubiquity make it an obvious target for attackers. Public sources list more than one thousand CVEs being assigned to the Flash Player alone since 2005. Almost nine hundred of these vulnerabilities have a Common Vulnerability Scoring System (C... https://www.fireeye.com/blog/threat-research/2019/04/flashmingo-open-source-automatic-analysis-tool-for-flash.html Published: 2019 04 15 15:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Solving Ad-hoc Problems with Hex-Rays API - published over 6 years ago. Content: Introduction IDA Pro is the de facto standard when it comes to binary reverse engineering. Besides being a great disassembler and debugger, it is possible to extend it and include a powerful decompiler by purchasing an additional license from Hex-Rays. The ability to switch between disassembled and decompiled code can greatly reduce the analysi... https://www.fireeye.com/blog/threat-research/2018/04/solving-ad-hoc-problems-with-hex-rays-api.html Published: 2018 04 10 15:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Writing a libemu/Unicorn Compatability Layer - published over 7 years ago. Content: In this post we are going to take a quick look at what it takes to write a libemu compatibility layer for the Unicorn engine. In the course of this work, we will also import the libemu Win32 environment to run under Unicorn. For a bit of background, libemu is a lightweight x86 emulator written in C by Paul Baecher and Markus Koetter. It was released... https://www.fireeye.com/blog/threat-research/2017/04/libemu-unicorn-compatability-layer.html Published: 2017 04 17 12:30:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Remote Symbol Resolution - published over 7 years ago. Content: Introduction The following blog discusses a couple of common techniques that malware uses to obscure its access to the Windows API. In both forms examined, analysts must calculate the API start address and resolve the symbol from the runtime process in order to determine functionality. After introducing the techniques, we present an open source tool ... https://www.fireeye.com/blog/threat-research/2017/06/remote-symbol-resolution.html Published: 2017 06 21 12:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Introducing GoCrack: A Managed Password Cracking Tool - published about 7 years ago. Content: FireEye's Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a ... https://www.fireeye.com/blog/threat-research/2017/10/gocrack-managed-password-cracking-tool.html Published: 2017 10 30 14:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Windows Management Instrumentation (WMI) Offense, Defense, and Forensics - published over 9 years ago. Content: Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote... https://www.fireeye.com/blog/threat-research/2015/08/windows_managementi.html Published: 2015 08 08 18:45:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities - published over 5 years ago. Content: FireEye Labs recently observed an attack against the government sector in Central Asia. The attack involved the new HAWKBALL backdoor being delivered via well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802. HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. H... https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html Published: 2019 06 05 15:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Churning Out Machine Learning Models: Handling Changes in Model Predictions - published over 5 years ago. Content: Introduction Machine learning (ML) is playing an increasingly important role in cyber security. Here at FireEye, we employ ML for a variety of tasks such as: antivirus, malicious PowerShell detection, and correlating threat actor behavior. While many people think that a data scientist’s job is finished when a model is built, the truth is t... https://www.fireeye.com/blog/threat-research/2019/04/churning-out-machine-learning-models-handling-changes-in-model-predictions.html Published: 2019 04 09 17:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Second Adobe Flash Zero-Day CVE-2015-5122 from HackingTeam Exploited in Strategic Web Compromise Targeting Japanese Victims - published over 9 years ago. Content: On July 14, FireEye researchers discovered attacks exploiting the Adobe Flash vulnerability CVE-2015-5122, just four days after Adobe released a patch. CVE-2015-5122 was the second Adobe Flash zero-day revealed in the leak of HackingTeam’s internal data. The campaign targeted Japanese organizations by using at least two legitimate Japanese websites... https://www.fireeye.com/blog/threat-research/2015/07/second_adobe_flashz.html Published: 2015 07 19 20:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: iBackDoor: High-risk Code Sneaks into the App Store - published about 9 years ago. Content: The library embeds backdoors in unsuspecting apps that make use of it to display ads, exposing sensitive data and functionality. The backdoors can be controlled remotely by loading JavaScript code from remote servers to perform the following actions: Capture audio and screenshots. Monitor and upload device location. Read/delete/create/modify file... https://www.fireeye.com/blog/threat-research/2015/10/ibackdoor_high-risk.html Published: 2015 10 26 13:51:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: A Growing Number of Android Malware Families Believed to Have a Common Origin: A Study Based on Binary Code - published over 8 years ago. Content: Introduction On Feb. 19, IBM XForce researchers released an intelligence report [1] stating that the source code for GM Bot was leaked to a crimeware forum in December 2015. GM Bot is a sophisticated Android malware family that emerged in the Russian-speaking cybercrime underground in late 2014. IBM also claimed that several Android malware f... https://www.fireeye.com/blog/threat-research/2016/03/android-malware-families.html Published: 2016 03 11 15:04:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Finding Evil in Windows 10 Compressed Memory, Part Two: Virtual Store Deep Dive - published over 5 years ago. Content: Introduction This blog post is the second in a three-part series covering our Windows 10 memory forensics research and it coincides with our BlackHat USA 2019 presentation. In Part One of the series, we covered the integration of the research in both Volatily and Rekall memory forensics tools. We demonstrated that forensic artifacts (including... https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-two.html Published: 2019 08 08 20:30:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Open Sourcing StringSifter - published about 5 years ago. Content: Malware analysts routinely use the Strings program during static analysis in order to inspect a binary's printable characters. However, identifying relevant strings by hand is time consuming and prone to human error. Larger binaries produce upwards of thousands of strings that can quickly evoke analyst fatigue, relevant strings occur less often tha... https://www.fireeye.com/blog/threat-research/2019/09/open-sourcing-stringsifter.html Published: 2019 09 07 17:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Showing Vulnerability to a Machine: Automated Prioritization of Software Vulnerabilities - published over 5 years ago. Content: Introduction If a software vulnerability can be detected and remedied, then a potential intrusion is prevented. While not all software vulnerabilities are known, 86 percent of vulnerabilities leading to a data breach were patchable, though there is some risk of inadvertent damage when applying software patches. When new vulnerabilities are ide... https://www.fireeye.com/blog/threat-research/2019/08/automated-prioritization-of-software-vulnerabilities.html Published: 2019 08 13 16:45:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Finding Evil in Windows 10 Compressed Memory, Part Three: Automating Undocumented Structure Extraction - published over 5 years ago. Content: This is the final post in the three-part series: Finding Evil in Windows 10 Compressed Memory. In the first post (Volatility and Rekall Tools), the FLARE team introduced updates to both memory forensic toolkits. These updates enabled these open source tools to analyze previously inaccessible compressed data in memory. This research was shared... https://www.fireeye.com/blog/threat-research/2019/08/finding-evil-in-windows-ten-compressed-memory-part-three.html Published: 2019 08 08 20:45:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: IDA, I Think It’s Time You And I Had a Talk: Controlling IDA Pro With Voice Control Software - published about 5 years ago. Content: Introduction This blog post is the next episode in the FireEye Labs Advanced Reverse Engineering (FLARE) team Script Series. Today, we are sharing something quite unusual. It is not a tool or a virtual machine distribution, nor is it a plugin or script for a popular reverse engineering tool or framework. Rather, it is a profile created for a consu... https://www.fireeye.com/blog/threat-research/2019/10/controlling-ida-pro-with-voice-control-software.html Published: 2019 10 03 17:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic Deep Dive into Data Driven Deductions - published about 5 years ago. Content: In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors. As Steve continued his research into PDB paths, we became interested in applying more general statistical analysis. The PDB p... https://www.fireeye.com/blog/threat-research/2019/10/definitive-dossier-of-devilish-debug-details-part-deux.html Published: 2019 10 17 15:30:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit - published over 10 years ago. Content: Less than a week after uncovering Operation SnowMan, the FireEye Dynamic Threat Intelligence cloud has identified another targeted attack campaign — this one exploiting a zero-day vulnerability in Flash. We are collaborating with Adobe security on this issue. Adobe has assigned the CVE identifier CVE-2014-0502 to this vulnerability and released a s... https://www.fireeye.com/blog/threat-research/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html Published: 2014 02 20 18:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Attention is All They Need: Combatting Social Media Information Operations With Neural Language Models - published about 5 years ago. Content: Information operations have flourished on social media in part because they can be conducted cheaply, are relatively low risk, have immediate global reach, and can exploit the type of viral amplification incentivized by platforms. Using networks of coordinated accounts, social media-driven information operations disseminate and amplify content desi... https://www.fireeye.com/blog/threat-research/2019/11/combatting-social-media-information-operations-neural-language-models.html Published: 2019 11 14 17:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: FIDL: FLARE’s IDA Decompiler Library - published almost 5 years ago. Content: IDA Pro and the Hex Rays decompiler are a core part of any toolkit for reverse engineering and vulnerability research. In a previous blog post we discussed how the Hex-Rays API can be used to solve small, well-defined problems commonly seen as part of malware analysis. Having access to a higher-level representation of binary code makes the Hex-Rays... https://www.fireeye.com/blog/threat-research/2019/11/fidl-flare-ida-decompiler-library.html Published: 2019 11 25 20:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Nice Try: 501 (Ransomware) Not Implemented - published almost 5 years ago. Content: An Ever-Evolving Threat Since January 10, 2020, FireEye has tracked extensive global exploitation of CVE-2019-19781, which continues to impact Citrix ADC and Gateway instances that are unpatched or do not have mitigations applied. We previously reported on attackers’ swift attempts to exploit this vulnerability and the post-compromise deploy... https://www.fireeye.com/blog/threat-research/2020/01/nice-try-501-ransomware-not-implemented.html Published: 2020 01 24 17:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: "Distinguished Impersonator" Information Operation That Previously Impersonated U.S. Politicians and Journalists on Social Media Leverages Fabricated U.S. Liberal Personas to Promote Iranian Interests - published almost 5 years ago. Content: In May 2019, FireEye Threat Intelligence published a blog post exposing a network of English-language social media accounts that engaged in inauthentic behavior and misrepresentation that we assessed with low confidence was organized in support of Iranian political interests. Personas in that network impersonated candidates for U.S. House of Re... https://www.fireeye.com/blog/threat-research/2020/02/information-operations-fabricated-personas-to-promote-iranian-interests.html Published: 2020 02 12 12:30:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Social Engineering Based on Stimulus Bill and COVID-19 Financial Compensation Schemes Expected to Grow in Coming Weeks - published over 4 years ago. Content: Given the community interest and media coverage surrounding the economic stimulus bill currently being considered by the United States House of Representatives, we anticipate attackers will increasingly leverage lures tailored to the new stimulus bill and related recovery efforts such as stimulus checks, unemployment compensation and small business... https://www.fireeye.com/blog/threat-research/2020/03/stimulus-bill-social-engineering-covid-19-financial-compensation-schemes.html Published: 2020 03 27 19:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation - published over 4 years ago. Content: This blog post continues the FLARE script series with a discussion of patching IDA Pro database files (IDBs) to interactively emulate code. While the fastest way to analyze or unpack malware is often to run it, malware won’t always successfully execute in a VM. I use IDA Pro’s Bochs integration in IDB mode to sidestep tedious debugging scenarios ... https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html Published: 2020 04 07 16:00:00 Received: 2022 05 23 16:06:46 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Limited Shifts in the Cyber Threat Landscape Driven by COVID-19 - published over 4 years ago. Content: Though COVID-19 has had enormous effects on our society and economy, its effects on the cyber threat landscape remain limited. For the most part, the same actors we have always tracked are behaving in the same manner they did prior to the crisis. There are some new challenges, but they are perceptible, and we—and our customers—are prepared to conti... https://www.fireeye.com/blog/threat-research/2020/04/limited-shifts-in-cyber-threat-landscape-driven-by-covid-19.html Published: 2020 04 08 16:15:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: FLARE IDA Pro Script Series: MSDN Annotations Plugin for Malware Analysis - published about 10 years ago. Content: The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with a script for Automatic Recovery of Constructed Strings in Malware. As always, you can download these scripts at the following location: https://github.com/fireeye/flare-ida. We hope you find all th... https://www.fireeye.com/blog/threat-research/2014/09/flare-ida-pro-script-series-msdn-annotations-ida-pro-for-malware-analysis.html Published: 2014 09 11 22:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: iBackDoor: High-Risk Code Hits iOS Apps - published about 9 years ago. Content: Introduction FireEye mobile researchers recently discovered potentially “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of this library embedded functionality in iOS apps that used the library to display ads, allowing for potential malicious access to se... https://www.fireeye.com/blog/threat-research/2015/11/ibackdoor_high-risk.html Published: 2015 11 04 18:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Maimed Ramnit Still Lurking in the Shadow - published almost 9 years ago. Content: Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on the newspaper delivery boy to reading breaking news on ePapers, we lose the subtle art of bug squashing. Instead, we end up exposing ourselves to dangerous digital bugs that can affect our virtual ... https://www.fireeye.com/blog/threat-research/2016/02/maimed_ramnit_still.html Published: 2016 02 18 17:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Havex, It’s Down With OPC - published over 10 years ago. Content: FireEye recently analyzed the capabilities of a variant of Havex (referred to by FireEye as “Fertger” or “PEACEPIPE”), the first publicized malware reported to actively scan OPC servers used for controlling SCADA (Supervisory Control and Data Acquisition) devices in critical infrastructure (e.g., water and electric utilities), energy, and manufactu... https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html Published: 2014 07 17 14:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: IRONGATE ICS Malware: Nothing to See Here...Masking Malicious Activity on SCADA Systems - published over 8 years ago. Content: In the latter half of 2015, the FireEye Labs Advanced Reverse Engineering (FLARE) team identified several versions of an ICS-focused malware crafted to manipulate a specific industrial process running within a simulated Siemens control system environment. We named this family of malware IRONGATE. FLARE found the samples on VirusTotal while researchi... https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html Published: 2016 06 02 12:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Rotten Apples: Resurgence - published about 8 years ago. Content: In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the “Zycode” phishing campaign). At FireEye Labs we have an automated system designed to proactively detect newly registered malicious domains and this system had observed ... https://www.fireeye.com/blog/threat-research/2016/10/rotten_apples_resur.html Published: 2016 10 20 12:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: ‘One-Stop Shop’ – Phishing Domain Targets Information from Customers of Several Indian Banks - published almost 8 years ago. Content: FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to be in the earlier stages of development and through th... https://www.fireeye.com/blog/threat-research/2016/11/one-stop-shop-phishing-domain.html Published: 2016 11 30 17:13:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Credit Card Data and Other Information Targeted in Netflix Phishing Campaign - published almost 8 years ago. Content: Introduction Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States. This campaign is interesting because of the evasion techniques that were used by the attackers: The phis... https://www.fireeye.com/blog/threat-research/2017/01/credit_card_dataand.html Published: 2017 01 09 16:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection - published over 8 years ago. Content: Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ... https://www.fireeye.com/blog/threat-research/2016/07/cerber-ransomware-attack.html Published: 2016 07 18 12:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: The 2013 FireEye Advanced Threat Report! - published over 10 years ago. Content: FireEye has just released its 2013 Advanced Threat Report (ATR), which provides a high-level overview of the computer network attacks that FireEye discovered last year. In this ATR, we focused almost exclusively on a small, but very important subset of our overall data analysis – the advanced persistent threat (APT). APTs, due to their organization... https://www.fireeye.com/blog/threat-research/2014/02/the-2013-fireeye-advanced-threat-report.html Published: 2014 02 27 14:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware - published over 10 years ago. Content: Executive Summary FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers.... https://www.fireeye.com/blog/threat-research/2014/06/a-not-so-civic-duty-asprox-botnet-campaign-spreads-court-dates-and-malware.html Published: 2014 06 16 14:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Using Speakeasy Emulation Framework Programmatically to Unpack Malware - published almost 4 years ago. Content: Andrew Davis recently announced the public release of his new Windows emulation framework named Speakeasy. While the introductory blog post focused on using Speakeasy as an automated malware sandbox of sorts, this entry will highlight another powerful use of the framework: automated malware unpacking. I will demonstrate, with code exampl... https://www.fireeye.com/blog/threat-research/2020/12/using-speakeasy-emulation-framework-programmatically-to-unpack-malware.html Published: 2020 12 01 20:30:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Emulation of Kernel Mode Rootkits With Speakeasy - published almost 4 years ago. Content: In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had a chance, give the post a read today. In addition to user mode emulation, Speakeasy also supports emulation of kernel mode Windows binaries. When malware authors employ kernel mode mal... https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html Published: 2021 01 20 16:45:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Training Transformers for Cyber Security Tasks: A Case Study on Malicious URL Prediction - published almost 4 years ago. Content: Highlights Perform a case study on using Transformer models to solve cyber security problems Train a Transformer model to detect malicious URLs under multiple training regimes Compare our model against other deep learning methods, and show it performs on-par with other top-scoring models Identify issues with applying generative p... https://www.fireeye.com/blog/threat-research/2021/01/training-transformers-for-cyber-security-tasks-malicious-url-prediction.html Published: 2021 01 21 17:30:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Phishing Campaign Leverages WOFF Obfuscation and Telegram Channels for Communication - published almost 4 years ago. Content: FireEye Email Security recently encountered various phishing campaigns, mostly in the Americas and Europe, using source code obfuscation with compromised or bad domains. These domains were masquerading as authentic websites and stole personal information such as credit card data. The stolen information was then shared to cross-platform, cloud-bas... https://www.fireeye.com/blog/threat-research/2021/01/phishing-campaign-woff-obfuscation-telegram-communications.html Published: 2021 01 26 20:45:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory - published over 3 years ago. Content: Continuing our discussion of image parsing vulnerabilities in Windows, we take a look at a comparatively less popular vulnerability class: uninitialized memory. In this post, we will look at Windows’ inbuilt image parsers—specifically for vulnerabilities involving the use of uninitialized memory. The Vulnerability: Uninitialized Memory In unman... https://www.fireeye.com/blog/threat-research/2021/03/fuzzing-image-parsing-in-windows-uninitialized-memory.html Published: 2021 03 03 19:30:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: capa 2.0: Better, Faster, Stronger - published over 3 years ago. Content: We are excited to announce version 2.0 of our open-source tool called capa. capa automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. If you haven’t heard of capa before, or need a refresher, check out our first blog post. You can download capa 2.0... https://www.fireeye.com/blog/threat-research/2021/07/capa-2-better-stronger-faster.html Published: 2021 07 19 18:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: Announcing the Eighth Annual Flare-On Challenge - published over 3 years ago. Content: The FLARE team is once again hosting its annual Flare-On challenge, now in its eighth year. Take this opportunity to enjoy some extreme social distancing by solving fun puzzles to test your mettle and learn new tricks on your path to reverse engineering excellence. The contest will begin at 8:00 p.m. ET on Sept. 10, 2021. This is a CTF-style cha... https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html Published: 2021 08 12 15:30:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: ELFant in the Room – capa v3 - published about 3 years ago. Content: Since our initial public release of capa, incident responders and reverse engineers have used the tool to automatically identify capabilities in Windows executables. With our newest code and ruleset updates, capa v3 also identifies capabilities in Executable and Linkable Format (ELF) files, such as those used on Linux and other Unix-like operatin... https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html Published: 2021 09 15 13:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Going To Ground with The Windows Scripting Host (WSH) - published almost 11 years ago. Content: About a month ago, I was involved in an investigation that revealed a targeted attacker using an interesting variation of a well-known persistence mechanism - a technique that is relevant both to incident responders hunting for evil and penetration testers looking to add post-exploitation methods to their toolkit. Today, I'm going to t... https://www.fireeye.com/blog/threat-research/2014/02/ground-windows-scripting-host-wsh.html Published: 2014 02 19 21:56:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks - published over 10 years ago. Content: Summary FireEye Research Labs, the intelligence behind our Mandiant Consultancy services, identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to... https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html Published: 2014 04 27 02:29:08 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Surge in Spam Campaign Delivering Locky Ransomware Downloaders - published over 8 years ago. Content: FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1. Figure 1. Affected countries As seen in Figure 2, the steep spike starts on March 21, 2016, where Locky is running cam... https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html Published: 2016 03 25 12:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Extending Linux Executable Logging With The Integrity Measurement Architecture - published about 8 years ago. Content: Gaining insight into the files being executed on your system is a great first step towards improved visibility on your endpoints. Taking this a step further, centrally storing logs of file execution data so they can be used for detection and hunting provides an excellent opportunity to find evil on your network. A SIEM, and to some degree your entir... https://www.fireeye.com/blog/threat-research/2016/11/extending_linux_exec.html Published: 2016 11 09 13:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
Article: FLARE Script Series: Recovering Stackstrings Using Emulation with ironstrings - published over 5 years ago. Content: This blog post continues our Script Series where the FireEye Labs Advanced Reverse Engineering (FLARE) team shares tools to aid the malware analysis community. Today, we release ironstrings: a new IDAPython script to recover stackstrings from malware. The script leverages code emulation to overcome this common string obfuscation technique. More preci... https://www.fireeye.com/blog/threat-research/2019/02/recovering-stackstrings-using-emulation-with-ironstrings.html Published: 2019 02 28 16:30:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: Bypassing Antivirus for Your Antivirus Bypass - published about 6 years ago. Content: Chances are you have heard about how easy it can be to evade antivirus. Often, this is because the signatures used by vendors are too simplistic and can be successfully duped without changing the functionality of the malware. Have you ever attempted to evade AV? Is it really that easy? In this blog post, I’ll show you how I adapted “malicious” (not... https://www.fireeye.com/blog/threat-research/2018/09/bypassing-antivirus-for-your-antivirus-bypass.html Published: 2018 09 13 23:00:00 Received: 2022 05 23 16:06:45 Feed: FireEye Blog Source: FireEye Blog Category: Cyber Security Topic: Cyber Security |
|
Article: CISA Adds 21 Known Exploited Vulnerabilities to Catalog - published over 2 years ago. Content: https://us-cert.cisa.gov/ncas/current-activity/2022/05/23/cisa-adds-21-known-exploited-vulnerabilities-catalog Published: 2022 05 23 15:00:00 Received: 2022 05 23 16:02:22 Feed: CISA Current Activity Source: Cybersecurity and Infrastructure Security Agency (CISA) Category: News Topic: Cyber Security |
Article: Mozilla Releases Security Products for Multiple Firefox Products - published over 2 years ago. Content: https://us-cert.cisa.gov/ncas/current-activity/2022/05/23/mozilla-releases-security-products-multiple-firefox-products Published: 2022 05 23 15:30:00 Received: 2022 05 23 16:02:22 Feed: CISA Current Activity Source: Cybersecurity and Infrastructure Security Agency (CISA) Category: News Topic: Cyber Security |
|
Click to Open Code Editor