The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked Read more...
Entries filed under 'Advanced Malware'
Threat Research Blog
FireEye posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. These blog posts cover everything from exploits and vulnerabilities, to advanced malware and targeted attacks.
Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
June 2, 2017 9:00 AM By Ali Islam, Barry Vengerik, Zain Gardezi , Christopher Glyer, Haroon W Malik | Advanced MalwareDridex and Locky Return Via PDF Attachments in Latest Campaigns
May 4, 2017 12:30 PM By Swapnil Patil, Robert Venal, Yin Hong Chang, Sudeep Singh | Advanced Malware
Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new large campaigns. While the PDF downloader described in this post is responsible for spreading both Dridex and Locky, for the purposes of this Read more...
APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat
April 6, 2017 3:00 PM By FireEye iSIGHT Intelligence | Threat Intelligence, Advanced Malware, Targeted AttackAPT10 (MenuPass Group), a Chinese cyber espionage group that FireEye has tracked since 2009, has been using new tools in its most recent activity.
Read more...Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY)
April 3, 2017 8:00 AM By Matthew Dunwoody | Advanced MalwareMandiant has observed APT29 using a stealthy backdoor that we call POSHSPY, which leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation.
Read more...Still Getting Served: A Look at Recent Malvertising Campaigns Involving Exploit Kits
March 15, 2017 8:48 AM By Zain Gardezi | Advanced MalwareFireEye researchers showcase some of the prominent malvertising campaigns active over the last four months, as well as the cushion servers related to different exploit kits.
Read more...Sign up for email updates
Get information and insight on today's advanced threats from the leader in advanced threat prevention.
