Tag: Threat Research

Shining a Light on DARKSIDE Ransomware Operations

This article has been indexed from Threat Research Update (May 14): Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they…

Shining a Light on DARKSIDE Ransomware Operations

This article has been indexed from Threat Research Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like…

Shining a Light on DARKSIDE Ransomware Operations

Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted…

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of…

The UNC2529 Triple Double: A Trifecta Phishing Campaign

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. Mandiant tracks this threat actor as UNC2529. Based on the considerable infrastructure employed, tailored phishing lures and the professionally coded sophistication of…

Abusing Replication: Stealing AD FS Secrets Over the Network

Read the original article: Abusing Replication: Stealing AD FS Secrets Over the Network Organizations are increasingly adopting cloud-based services such as Microsoft 365 to host applications and data. Sophisticated threat actors are catching on and Mandiant has observed an increased…

M-Trends 2021: A View From the Front Lines

Read the original article: M-Trends 2021: A View From the Front Lines We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination…

M-Trends 2021: A View From the Front Lines

Read the original article: M-Trends 2021: A View From the Front Lines We are thrilled to launch M-Trends 2021, the 12th edition of our annual FireEye Mandiant publication. The past year has been unique, as we witnessed an unprecedented combination…

So Unchill: Melting UNC2198 ICEDID to Ransomware Operations

Read the original article: So Unchill: Melting UNC2198 ICEDID to Ransomware Operations Mandiant Advanced Practices (AP) closely tracks the shifting tactics, techniques, and procedures (TTPs) of financially motivated groups who severely disrupt organizations with ransomware. In May 2020, FireEye released…

A Totally Tubular Treatise on TRITON and TriStation

Read the original article: A Totally Tubular Treatise on TRITON and TriStation Introduction In December 2017, FireEye’s Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques…

FLARE VM Update

Read the original article: FLARE VM Update FLARE VM is the first of its kind reverse engineering and malware analysis distribution on Windows platform. Since its introduction in July 2017, FLARE VM has been continuously trusted and used by many…

Emulation of Kernel Mode Rootkits With Speakeasy

Read the original article: Emulation of Kernel Mode Rootkits With Speakeasy In August 2020, we released a blog post about how the Speakeasy emulation framework can be used to emulate user mode malware such as shellcode. If you haven’t had…

SUNBURST Additional Technical Details

Read the original article: SUNBURST Additional Technical Details FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with…

SUNBURST Additional Technical Details

Read the original article: SUNBURST Additional Technical Details FireEye has discovered additional details about the SUNBURST backdoor since our initial publication on Dec. 13, 2020. Before diving into the technical depth of this malware, we recommend readers familiarize themselves with…

Unauthorized Access of FireEye Red Team Tools

Read the original article: Unauthorized Access of FireEye Red Team Tools Overview A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends…

Election Cyber Threats in the Asia-Pacific Region

Read the original article: Election Cyber Threats in the Asia-Pacific Region In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the…

Election Cyber Threats in the Asia-Pacific Region

Read the original article: Election Cyber Threats in the Asia-Pacific Region In democratic societies, elections are the mechanism for choosing heads of state and policymakers. There are strong incentives for adversary nations to understand the intentions and preferences of the…

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques

Read the original article: WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques Microsoft is known for their backwards compatibility. When they rolled out the 64-bit variant of Windows years ago they needed to provide compatibility with existing 32-bit applications. In order…

Flare-On 7 Challenge Solutions

Read the original article: Flare-On 7 Challenge Solutions We are thrilled to announce the conclusion of the seventh annual Flare-On challenge. This year proved to be the most difficult challenge we’ve produced, with the lowest rate of finishers. This year’s…

Fuzzing Image Parsing in Windows, Part One: Color Profiles

Read the original article: Fuzzing Image Parsing in Windows, Part One: Color Profiles Image parsing and rendering are basic features of any modern operating system (OS). Image parsing is an easily accessible attack surface, and a vulnerability that may lead to…

APT41: A Dual Espionage and Cyber Crime Operation

Read the original article: APT41: A Dual Espionage and Cyber Crime Operation Today, FireEye Intelligence is releasing a comprehensive report detailing APT41, a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations.…

Emulation of Malicious Shellcode With Speakeasy

Read the original article: Emulation of Malicious Shellcode With Speakeasy In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are…

Analyzing Dark Crystal RAT, a C# Backdoor

Read the original article: Analyzing Dark Crystal RAT, a C# Backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

Announcing the Seventh Annual Flare-On Challenge

Read the original article: Announcing the Seventh Annual Flare-On Challenge The FireEye Labs Advanced Reverse Engineering (FLARE) team is honored to announce that the popular Flare-On challenge will return for a triumphant seventh year. Ongoing global events proved no match against…

‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

Read the original article: ‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part…

Another Darkleech Campaign

Read the original article: Another Darkleech Campaign Last week got us up close and personal with Darkleech and Blackhole with our external careers web site. The fun didn’t end there, this week we saw a tidal wave of Darkleech activity…

Using Real-Time Events in Investigations

Read the original article: Using Real-Time Events in Investigations To understand what a threat actor did on a Windows system, analysts often turn to the tried and true sources of historical endpoint artifacts such as the Master File Table (MFT),…

Analyzing Dark Crystal RAT, a C# backdoor

Read the original article: Analyzing Dark Crystal RAT, a C# backdoor The FireEye Mandiant Threat Intelligence Team helps protect our customers by tracking cyber attackers and the malware they use. The FLARE Team helps augment our threat intelligence by reverse…

New Tactics. New Motives. New Services.

Read the original article: New Tactics. New Motives. New Services. Every day at Mandiant we respond to some of the largest cyber security incidents around the world. This gives us a front-row seat to witness what works (and what doesn’t)…

Rotten Apples: Resurgence

Read the original article: Rotten Apples: Resurgence In June 2016, we published a blog about a phishing campaign targeting the Apple IDs and passwords of Chinese Apple users that emerged in the first quarter of 2016 (referred to as the…

Feodo – A new botnet on the rise

Read the original article: Feodo – A new botnet on the rise We are seeing a trend where new banking trojans are emerging on the threat landscape very rapidly.  First came Bugat followed by Carberp.  Unfortunately, it is time to…

iBackDoor: High-Risk Code Hits iOS Apps

Read the original article: iBackDoor: High-Risk Code Hits iOS Apps Introduction FireEye mobile researchers recently discovered potentially “backdoored” versions of an ad library embedded in thousands of iOS apps originally published in the Apple App Store. The affected versions of…

Maimed Ramnit Still Lurking in the Shadow

Read the original article: Maimed Ramnit Still Lurking in the Shadow Newspapers have the ability to do more than simply keep us current with worldly affairs; we can use them to squash bugs! Yet, as we move from waiting on…

Connected Cars: The Open Road for Hackers

Read the original article: Connected Cars: The Open Road for Hackers As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking…