Entries filed under 'James T. Bennett'

Threat Research Blog

FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.


    Supply Chain Analysis: From Quartermaster to Sunshop

    By Ned Moran, James T. Bennett
    Today, we released a new report from FireEye Labs entitled Supply Chain Analysis: From Quartermaster to Sunshop. The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize. Our research points to centralized planning and development by one or more advanced Read more...


    The Mutter Backdoor: Operation Beebus with New Targets

    By James T. Bennett
    FireEye Labs has observed a series of related attacks against a dozen organizations in the aerospace, defense, and telecommunications industries as well as government agencies located in the United States and India which have been occurring at least as early as December of 2011. In at least one case, a decoy document included in the attack contained content that focused on Pakistan military advancements in unmanned vehicle, or “drone” technology. Technically, these Read more...


    It's a Kind of Magic

    By James T. Bennett
    In our last post we shared our initial analysis of the malware that is installed as a result of the PDF found in the wild that exploits the then-zero-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641. Today we are sharing more details about this new malware, which we have dubbed "666." The following is not a complete analysis, but outlines some of the main functionality and its interesting features. At its heart, this malware is Read more...


    The Number of the Beast

    By James T. Bennett
    Yesterday, we sent out a warning regarding the PDF zero-day we found being exploited in the wild. Adobe has released a security advisory with mitigations. Here are more details about the attack. The JavaScript embedded in the crafted PDF is highly obfuscated using string manipulation techniques. Most of the variables in the JavaScript are in Italian. The JavaScript has version checks for various versions of Adobe Reader as shown below and it Read more...


    In Turn, It's PDF Time

    By Yichong Lin, James T. Bennett, Thoufique Haq
    [Update: February 13, 2013] We have found IE, Java, and Flash zero-days in a row in the past several months, and now it's PDF’s turn. Today, we identified that a PDF zero-day is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1.Upon successful exploitation, it will drop two DLLs. The first DLL shows a fake error message and opens a decoy PDF Read more...