Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool
We recently encountered a large obfuscated malware sample that
offered several interesting analysis challenges. It used
virtualization that prevented us from producing a fully-deobfuscated
memory dump for static analysis. Statically analyzing a large
virtualized sample...
Using Real-Time Events in Investigations
To understand what a threat actor did on a Windows system, analysts
often turn to the tried and true sources of historical endpoint
artifacts such as the Master File Table (MFT), registry hives, and
Application Compatibility...
Analyzing Dark Crystal RAT, a C# backdoor
The FireEye
Mandiant Threat Intelligence Team helps protect our customers by
tracking cyber attackers and the malware they use. The FLARE Team
helps augment our threat intelligence by reverse engineering malware
samples. Recently,...
Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents
Targeted ransomware incidents have brought a threat of disruptive and
destructive attacks to organizations across industries and
geographies. FireEye Mandiant
Threat Intelligence has previously documented this threat in our
investigations of trends
...
Excelerating Analysis, Part 2 — X[LOOKUP] Gon’ Pivot To Ya
In December 2019, we published a blog post on augmenting
analysis using Microsoft Excel for various data sets for
incident response investigations. As we described, investigations
often include custom or proprietary log formats and...
Putting the Model to Work: Enabling Defenders With Vulnerability Intelligence — Intelligence for Vulnerability Management, Part Four
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put...
Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage
From at least January to April 2020, suspected Vietnamese actors
APT32 carried out intrusion campaigns against Chinese targets that
Mandiant Threat Intelligence believes was designed to collect
intelligence on the COVID-19 crisis. Spear phishing messages were...
Separating the Signal from the Noise: How Mandiant Intelligence Rates Vulnerabilities — Intelligence for Vulnerability Management, Part Three
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put...
Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put...
Limited Shifts in the Cyber Threat Landscape Driven by COVID-19
Though COVID-19 has had enormous effects on our society and economy,
its effects on the cyber threat landscape remain limited. For the most
part, the same actors we have always tracked are behaving in the same
...
Thinking Outside the Bochs: Code Grafting to Unpack Malware in Emulation
This blog post continues the FLARE script series with a discussion of
patching IDA Pro database files (IDBs) to interactively emulate code.
While the fastest way to analyze or unpack malware is often to run it,
...
Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill — Intelligence for Vulnerability Management, Part One
One of the critical strategic and tactical roles that cyber threat
intelligence (CTI) plays is in the tracking, analysis, and
prioritization of software vulnerabilities that could potentially
put...
FakeNet Genie: Improving Dynamic Malware Analysis with Cheat Codes for FakeNet-NG
As developers of the network simulation tool FakeNet-NG, reverse
engineers on the FireEye FLARE team, and malware analysis instructors,
we get to see how different analysts use FakeNet-NG and the challenges
they face. We have learned...
Kerberos Tickets on Linux Red Teams
At FireEye
Mandiant, we conduct numerous red team engagements within Windows
Active Directory environments. Consequently, we frequently encounter
Linux systems integrated within Active Directory environments.
Compromising an individual domain-joined Linux system can provide
useful...
It’s Your Money and They Want It Now — The Cycle of Adversary Pursuit
When we discover new intrusions, we ask ourselves questions that will
help us understand the totality of the activity set.
How common is this activity? Is there anything unique or special
about this malware or campaign? What...
Windows 10 Security Game-Changer As Microsoft Reveals New Hacker Protection
Microsoft is set to bring a powerful new security feature to Windows 10 that just might be a game-changer.
15 Billion Stolen Logins Are Circulating on the Dark Web
Plus: Facebook's Roger Stone takedown, the BlueLeaks server seizure, and more of the week's top security news.
Exclusive: Any Chingari App (Indian TikTok Clone) Account Can Be Hacked Easily
Following vulnerability disclosure in the Mitron app, another viral TikTok clone in India has now been found vulnerable to a critical but easy-to-exploit authentication bypass vulnerability, allowing anyone to hijack any user account and tamper with their information, content,...
Is TikTok Seriously Dangerous—Do You Need To Delete It?
Here's the reality behind all the headlines...
iPhone User Sues LinkedIn For Reading Clipboard Data After iOS 14 Alert Revelations
The fallout from Apple's new iOS 14 privacy notification feature continues as one iPhone user files a class-action lawsuit against LinkedIn for silently reading clipboard data.
