New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives. We believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a ...
Read more

Recognizing and Avoiding Disassembled Junk

There is a common annoyance that seems to plague every reverse engineer and incident responder at some point in their career: wasting time or energy looking at junk code. Junk code is a sequence of bytes that you have disassembled that are not actual instructions executed as part of a program. In addition to wasting time, I’ve seen people get alarmed and excited by the junk code they’ve found. In these cases, it is because they found executable code in a place they weren’t expecting, which led them to believe they had found an exploit or an advanced malware specimen. In this post, I will discuss how to recognize junk code by learning what causes it and how it differs from real code. We are going to focus on x86 disassembly, but similar issues are present in many other architectures. The Problem The first mistake people make in disassembling junk code is assuming that it is actual code because it disassembled to valid instructions. The x86 instruction set is densely packed, and many are encoded with a single byte. Disassembling almost any data will yield potentially ...
Read more

Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection

Introduction TLS (Thread Local Storage) callbacks are provided by the Windows operating system to support additional initialization and termination for per-thread data structures. As previously reported, malicious TLS callbacks, as an anti-analysis trick, have been observed for quite some time and can allow for PE files to include malicious TLS callback functions to be executed prior to the AddressOfEntryPoint field (the normal start of intended execution) in the PE header. In essence, unsuspecting analysts and automated security tools can miss the actual entry point to malcode if they do not account for it in the beginning of their analysis and insert a breakpoint on the regular offset pointed to by AddressOfEntryPoint. We recently came across a Ursnif/Gozi-ISFB sample that manipulated TLS callbacks while injecting to child process. Though many of the malware binaries (or their packers) use some variation of GetThreadContext/SetThreadContext or CreateRemoteThread Windows API functions to change the entry point of the remote process during injection, this sample (and the related cluster) is using a relatively lesser-known stealth technique. This little deviation from the standard textbook approach may cause some...
Read more

Introducing GoCrack: A Managed Password Cracking Tool

FireEye's Innovation and Custom Engineering (ICE) team released a tool today called GoCrack that allows red teams to efficiently manage password cracking tasks across multiple GPU servers by providing an easy-to-use, web-based real-time UI (Figure 1 shows the dashboard) to create, view, and manage tasks. Simply deploy a GoCrack server along with a worker on every GPU/CPU capable machine and the system will automatically distribute tasks across those GPU/CPU machines. Figure 1: Dashboard As readers of this blog probably know, password cracking tools are an effective way for security professionals to test password effectiveness, develop improved methods to securely store passwords, and audit current password requirements. Some use cases for a password cracking tool can include cracking passwords on exfil archives, auditing password requirements in internal tools, and offensive/defensive operations. We’re releasing GoCrack to provide another tool for distributed teams to have in their arsenal for managing password cracking and recovery tasks. Keeping in mind the sensitivity of passwords, GoCrack includes an entitlement-based system that prevents users from accessing task data unless they are the original creator or...
Read more

BACKSWING – Pulling a BADRABBIT Out of a Hat

Executive Summary On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING. We’ve identified 51 sites hosting BACKSWING and four confirmed to drop BADRABBIT. Throughout 2017, we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian websites. The pattern of deployment raises the possibility of a strategic sponsor with specific regional interests and suggest a motivation other than financial gain. Given that many domains are still compromised with BACKSWING, we anticipate that there is a risk that they will be used for future attacks. Incident Background Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware. Users were redirected to the infected site from multiple...
Read more

New FakeNet-NG Feature: Content-Based Protocol Detection

I (Matthew Haigh) recently contributed to FLARE’s FakeNet-NG network simulator by adding content-based protocol detection and configuration. This feature is useful for analyzing malware that uses a protocol over a non-standard port; for example, HTTP over port 81. The new feature also detects and adapts to SSL so that any protocol can be used with SSL and handled appropriately by FakeNet-NG. We were motivated to add this feature since it was a feature of the original FakeNet and it was needed for real world malware. What is FakeNet-NG FakeNet-NG simulates a network so malware analysts can run samples with network functionality without the risks of an Internet connection. Analysts can examine network-based indicators via FakeNet-NG’s textual and pcap output. It is plug-and-play, configurable, and works on both Windows and Linux. FakeNet-NG simulates common protocols to trick malware into thinking it is connected to the Internet. FakeNet-NG supports the following protocols: DNS, HTTP, FTP, POP, SMTP, IRC, SSL, and TFTP. Previous Design Previously FakeNet-NG employed Listener modules, which were bound to configurable ports for each protocol. Any traffic on those ports...
Read more

Magniber Ransomware Wants to Infect Only the Right People

Introduction Exploit kit (EK) use has been on the decline since late 2016; however, certain activity remains consistent. The Magnitude Exploit Kit is one such example that continues to affect users, particularly in the APAC region. In Figure 1, which is based on FireEye Dynamic threat Intelligence (DTI) reports shared in March 2017, we can see the regions affected by Magnitude EK activity during the last three months of 2016 and the first three months of 2017. Figure 1: Magnitude EK distribution as seen in March 2017 This trend continued until late September 2017, when we saw Magnitude EK focus primarily on the APAC region, with a large chunk targeting South Korea. Magnitude EK activity then fell off the radar until Oct. 15, 2017, when it came back and began focusing solely on South Korea. Previously it had been distributing Cerber ransomware, but Cerber distribution has declined (we have also seen a decline of Cerber being distributed via email) and now it is distributing ransomware known as Magniber.  Infection The first reappearance of Magnitude EK on Oct. 15 came as a ...
Read more

2017 Flare-On Challenge Solutions

Another year, another successful Flare-On Challenge. I’d first like to thank our challenge authors for their hard work developing each of the challenges, and also for writing up their solutions: Challenge #1: Dominik Weber (@Invalid_handle) Challenge #2: Nhan Huynh Challenge #3: Matt Williams (@0xmwilliams) Challenge #4: James T. Bennett (@jtbennettjr) Challenge #5: Tyler Dean (@spresec) Challenge #6: Jon Erickson (@2130706433) Challenge #7: Michael Bailey (@mykill) Challenge #8: Moritz Raabe (@m_r_tz) Challenge #9: Joshua Homan Challenge #10: Dominik Weber (@Invalid_handle) Challenge #11: Nick Harbour (@nickharbour) Challenge #12: Jay Smith (@jay_smif) Our popularity and participation continued to swell, with a 57 percent increase in total players (3240) and a 304 percent increase in the number of players who solved at least one challenge (2617) over last year. The overall difficulty also appears to have increased this year, with only 4.3 percent of players (140 total) completing the challenge, a decrease from the 6 percent who completed last year’s challenge. The following graph shows the total number of players who solved each stage of...
Read more

North Korean Actors Spear Phish U.S. Electric Companies

We can confirm that FireEye devices detected and stopped spear phishing emails sent on Sept. 22, 2017, to U.S. electric companies by known cyber threat actors likely affiliated with the North Korean government. This activity was early-stage reconnaissance, and not necessarily indicative of an imminent, disruptive cyber attack that might take months to prepare if it went undetected (judging from past experiences with other cyber threat groups). We have previously detected groups we suspect are affiliated with the North Korean government compromising electric utilities in South Korea, but these compromises did not lead to a disruption of the power supply. We have not observed suspected North Korean actors using any tool or method specifically designed to compromise or manipulate the industrial control systems (ICS) networks that regulate the supply of power. Furthermore, we have not uncovered evidence that North Korean linked actors have access to any such capability at this time. Nation-states often conduct cyber espionage operations to gather intelligence and prepare for contingencies, especially at times of high tension. FireEye has detected more than 20 cyber threat groups suspected to be sponsored...
Read more
Page 1 of 1312345...10...Last »