Threat Research Blog

[...] systems and stealing vital information – and perhaps putting lives at risk. Recent reports of threat actors swiping personal data of healthcare providers’ patients reinforces what FireEye Labs [...]

[...] of China-based APT groups. Conclusion This activity represents a new SWC campaign. We suspect threat actors are leveraging their access to compromised websites belonging to NGOs and non-profits to [...]

[...] on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs& [...]

[...] property theft. From our experience responding to these breaches, we’ve seen targeted threat actors actively pursuing companies involved in mergers and acquisitions in two ways: Breaching one of [...]

[...] The FireEye Labs team has identified two new zero-day vulnerabilities as part of limited, targeted attacks [...]

[...] ://www.verizonenterprise.com/DBIR/ You can stay up to date with the latest threat research from FireEye Labs at www.FireEye.com/blog [...]

[...] Between 29 April and 27 May, FireEye Labs identified several new Molerats attacks targeting at least one major U.S. financial [...]

[...] in APT campaigns alongside two other infamous RATs – PoisonIvy and Taidoor. For this blog, FireEye Labs has investigated PlugX samples discovered throughout 2013 as well as recent variants detected [...]

[...] not yet looking at breaches from the perspective of risk or impact. Priorities misaligned in incident response We see the same lack of business alignment in organizations’ responses to breaches. [...]

[...] critical.  In one session, analyst Anton Chuvakin laid out a step-by-step approach for incident response.  In addition, other sessions frequently alluded to the growing importance of IR. Theme #4:  [...]

[...] FireEye groups have reversing engineering needs: Global Services discovers malware during incident response, Managed Defense constantly discovers threats on monitored client networks, and Products [...]

[...] are squared away, we may still encounter frustrations and limitations when performing incident response.  Although we may have the data we need over the time period we need it for, we still need [...]

[...] in that they drop three files: The KernelBot implants receive targeting instructions from C2 servers hard-coded directly into the sample. For example, c3d6450075d618b1edba17ee723eb3ca drops a [...]

[...] receive stolen information. This minimizes the number of systems that actually communicate with C2 servers. C2 commands are signed using RSA-2048 and encrypted with RC4 making it very difficult to [...]

[...] brute force an RDP server, it reports back with credentials. In total we found five C2 servers used by the BrutPOS botnet. Three of these servers are located on the same network in Russia; [...]

[...] Province. Like the Moafee group, we observed DragonOK running HTRAN to proxy their C2 servers, which are also operated on CHINANET but are hosted in the Jiangsu Province. Summary [...]

[...] , DC on October 7-8 for MIRcon 2014. MIRcon features authorities on incident response, malware analysis, reverse engineering and computer forensics sharing experiences and approaches to benefit [...]

[...] technique. Figure 5: Challenge source code Automating the recovery of these strings during malware analysis is simple if the compiler follows a basic pattern. A quick examination of the disassembly in [...]

The FireEye Labs Advanced Reverse Engineering (FLARE) Team continues to share knowledge and tools with the community. We started this blog series with [...]

[...] from in-depth reversing to help improve detection capabilities. We primarily focus on malware analysis, but we also perform red-teaming of software and organizations, and we develop tools to [...]

[...] anti-virus dead” in the Wall Street Journal. At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at [...]

[...] to provide a full picture of the campaign (blue), while only a fraction of the emailed malware samples could be detected by various Anti-Virus vendors (yellow). Figure 7 FireEye Detection vs. [...]

[...] As we continued to see this odd traffic throughout the summer we began a search for malware samples responsible for this behavior. Via this research, we found a malware sample that we [...]

[...] presents a prime example of the process of attribution. We connected a builder with malware samples and the actors/developers behind these attacks. This type of attribution is key to [...]

[...] with the Backdoor.APT.Pgift malware. This builder is used to create and test files placed on the C2 server. The builder creates three files: 25dd831ae7d720998a3e3a8d205ab684  dr.asp [...]

[...] via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further [...]

[...] that begins the actual backdoor routine of waiting for and executing commands issued from the C2 server. After running itself with launchctl, the initial process forks and deletes the Mach-O from the [...]

[...] Code project at code.google[.]com/p/udom/, where it decoded a command that configured its C2 server. The sample 0b54ae49fd5a841970b98a078968cb6b was signed with the QTI International [...]

[...] -based threats. Since such information can potentially be used to access corporate networks, mobile malware plays an important role in the newly evolving multi-vector threat landscape. By looking at [...]

[...] ? Recently, FireEye Labs mobile security researchers have discovered a new kind of mobile malware that encrypts an embedded Android application with an attachment in an asset folder – [...]

[...] cloud storage services. As few security mechanisms and detection capabilities exist for mobile malware, it’s easy to see why 20 million SMS were sent and 100,000 users were infected in only a few [...]

[...] acquisition of Mandiant, as well as to discuss today’s changing threat landscape. The FireEye team will also release the latest findings from Mandiant’s annual M-Trends report and [...]

[...] . To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60. [...]

[...] . To find out more about the report or how to address these rising issues, come visit the FireEye team at InfoSec UK at Stand J60. [...]

[...] recognized as one of this year’s “Power 100.”  She has made a significant impact on the FireEye team and has played a tremendous role in delivering cybersecurity solutions as well as [...]

[...] such callbacks every year. Table 1, below, shows the top 20 countries to receive first-stage malware callbacks over the last 16 months, according to the latest FireEye data. Table 1 – Callback [...]

[...] . The primary data points used in this worldwide cyber survey are more than 30 million malware callbacks to over 200 countries and territories over an 18-month period, from January 2013 to June [...]

[...] use of Apple computers has caught the attention of attackers, with FireEye Labs seeing malware callbacks from Macs increase 36 percent year-over-year between the first six months of 2013 and 2014. [...]