Entries filed under 'Ned Moran'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.

    Supply Chain Analysis: From Quartermaster to Sunshop

    By Ned Moran, James T. Bennett
    Today, we released a new report from FireEye Labs entitled Supply Chain Analysis: From Quartermaster to Sunshop. The report details how many seemingly unrelated cyber attacks may, in fact, be part of a broader offensive fueled by a shared development and logistics infrastructure — a finding that suggests some targets are facing a more organized menace than they realize. Our research points to centralized planning and development by one or more advanced Read more...

    Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method

    By Ned Moran, Sai Omkar Vashisht, Mike Scott, Thoufique Haq
    Recently, we discovered a new IE zero-day exploit in the wild, which has been used in a strategic Web compromise. Specifically, the attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy. We have identified relationships between the infrastructure used in this attack and that used in Operation DeputyDog. Furthermore, the attackers loaded the payload used in this Read more...

    Know Your Enemy: Tracking A Rapidly Evolving APT Actor

    By Ned Moran, Thoufique Haq
    Between Oct. 24–25 FireEye detected two spear-phishing attacks attributed to a threat actor we have previously dubbed admin@338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance, and economic policy. These two attacks utilized different malware families and demonstrate an ability to quickly adapt techniques, tactics, and procedures (TTPs). Investor Guide and Contact List Lure On Friday Oct. 25, 2013, Read more...

    Hand Me Downs: Exploit and Infrastructure Reuse Among APT Campaigns

    By Ned Moran, Nart Villeneuve
    Since we first reported on Operation DeputyDog, at least three other Advanced Persistent Threat (APT) campaigns known as Web2Crew, Taidoor, and th3bug have made use of the same exploit to deliver their own payloads to their own targets. It is not uncommon for APT groups to hand-off exploits to others, who are lower on the zero-day food chain – especially after the exploit becomes publicly available. Thus, while the exploit may be Read more...

    Now You See Me - H-worm by Houdini

    By Thoufique Haq, Ned Moran
    H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in Read more...