Entries filed under 'Threat Research'

Threat Research Blog

The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.


    Ready for Summer: The Sunshop Campaign

    By Ned Moran | Threat Research

    We recently identified another targeted attack campaign that leveraged both the recently announced Internet Explorer zero-day, CVE-2013-1347, as well as recently patched Java exploits CVE-2013-2423 and CVE-2013-1493. This campaign appears to have affected a number of victims based on the use of the Internet Explorer zero-day as well as the amount of traffic observed at making requests to the exploit server. This attack was likely executed by an actor we have named the 'Sunshop Group'. This actor was also responsible for the 2010 compromise of the Nobel Peace Prize website that leverage a zero-day in Mozilla Firefox.

    Read more...


    Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick

    By Amanda Stewart | Threat Research
    FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese Read more...


    Malware Callbacks

    By Rob Rachwald | Threat Research
    Today we released our first-ever analysis of malware callbacks. Our report can be accessed here: http://www2.fireeye.com/WEB2013ATLReport.html.FireEye monitored more than 12 million malware communications seeking instructions—or callbacks—across hundreds of thousands of infected enterprise hosts, capturing details of advanced attacks as well as more generic varieties during the course of 2012. Callback activity reveals a great deal about an attacker’s intentions, interests and geographic location. Cyber attacks are a widespread global activity. We’ve built interactive Read more...


    The Mutter Backdoor: Operation Beebus with New Targets

    By James T. Bennett | Threat Research
    FireEye Labs has observed a series of related attacks against a dozen organizations in the aerospace, defense, and telecommunications industries as well as government agencies located in the United States and India which have been occurring at least as early as December of 2011. In at least one case, a decoy document included in the attack contained content that focused on Pakistan military advancements in unmanned vehicle, or “drone” technology. Technically, these Read more...


    Sanny CnC Backend Disabled

    By Ali Islam, Alex Lanstein | Threat Research
    We recently encountered in the wild another sample related to the Sanny APT. For readers who are not familiar with the Sanny APT, please refer to our previous blog for the background. The sample was using the same lure text and CVE-2012-0158 vulnerability. However this time it was using a different board named "ecowas_1" as compared to "kbaksan_1" which was employed previously. The following are the CnC URLs to list stolen data Read more...