Category Archives: FireEye

  • 0

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

Category : FireEye

Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes. We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

Malware Family Main Modules Description
TRITON trilog.exe Main executable leveraging Custom communication library for interaction with Triconex controllers.

Table 1: Description of TRITON Malware

Incident Summary

The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.

We assess with moderate confidence that the attacker inadvertently shutdown operations while developing the ability to cause physical damage for the following reasons:

  • Modifying the SIS could prevent it from functioning correctly, increasing the likelihood of a failure that would result in physical consequences.
  • TRITON was used to modify application memory on SIS controllers in the environment, which could have led to a failed validation check.
  • The failure occurred during the time period when TRITON was used.
  • It is not likely that existing or external conditions, in isolation, caused a fault during the time of the incident.


FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state. The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.  Specifically, the following facts support this assessment:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented suggesting the adversary independently reverse engineered this protocol.

The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors. Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.

Background on Process Control and Safety Instrumented Systems

Figure 1: ICS Reference Architecture

Modern industrial process control and automation systems rely on a variety of sophisticated control systems and safety functions. These systems and functions are often referred to as Industrial Control Systems (ICS) or Operational Technology (OT).

A Distributed Control System (DCS) provides human operators with the ability to remotely monitor and control an industrial process. It is a computerized control system consisting of computers, software applications and controllers. An Engineering Workstation is a computer used for configuration, maintenance and diagnostics of the control system applications and other control system equipment.

A SIS is an autonomous control system that independently monitors the status of the process under control. If the process exceeds the parameters that define a hazardous state, the SIS attempts to bring the process back into a safe state or automatically performs a safe shutdown of the process. If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.

Asset owners employ varied approaches to interface their plant’s DCS with the SIS. The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. For at least the past decade, there has been a trend towards integrating DCS and SIS designs for various reasons including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS. We believe TRITON acutely demonstrates the risk associated with integrated designs that allow bi-directional communication between DCS and SIS network hosts.

Safety Instrumented Systems Threat Model and Attack Scenarios

Figure 2: Temporal Relationship Between Cyber Security and Safety

The attack lifecycle for disruptive attacks against ICS is similar to other types of cyber attacks, with a few key distinctions. First, the attacker’s mission is to disrupt an operational process rather than steal data. Second, the attacker must have performed OT reconnaissance and have sufficient specialized engineering knowledge to understand the industrial process being controlled and successfully manipulate it.

Figure 2 represents the relationship between cyber security and safety controls in a process control environment. Even if cyber security measures fail, safety controls are designed to prevent physical damage. To maximize physical impact, a cyber attacker would also need to bypass safety controls.

The SIS threat model below highlights some of the options available to an attacker who has successfully compromised an SIS.

Attack Option 1: Use the SIS to shutdown the process

  • The attacker can reprogram the SIS logic to cause it to trip and shutdown a process that is, in actuality, in a safe state. In other words, trigger a false positive.
  • Implication: Financial losses due to process downtime and complex plant start up procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state

  • The attacker can reprogram the SIS logic to allow unsafe conditions to persist.
  • Implication: Increased risk that a hazardous situation will cause physical consequences (e.g. impact to equipment, product, environment and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard

  • The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.
  • Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

Analysis of Attacker Intent

We assess with moderate confidence that the attacker’s long-term objective was to develop the capability to cause a physical consequence. We base this on the fact that the attacker initially obtained a reliable foothold on the DCS and could have developed the capability to manipulate the process or shutdown the plant, but instead proceeded to compromise the SIS system. Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.

Once on the SIS network, the attacker used their pre-built TRITON attack framework to interact with the SIS controllers using the TriStation protocol. The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts. This suggests the attacker was intent on causing a specific outcome beyond a process shutdown.

Of note, on several occasions, we have observed evidence of long term intrusions into ICS which were not ultimately used to disrupt or disable operations. For instance, Russian operators, such as Sandworm Team, have compromised Western ICS over a multi-year period without causing a disruption.

Summary of Malware Capabilities

The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities).

The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.


Asset owners who wish to defend against the capabilities demonstrated in the incident, should consider the following controls:

  • Where technically feasible, segregate safety system networks from process control and information system networks. Engineering workstations capable of programming SIS controllers should not be dual-homed to any other DCS process control or information system network.
  • Leverage hardware features that provide for physical control of the ability to program safety controllers. These usually take the form of switches controlled by a physical key. On Triconex controllers, keys should not be left in the PROGRAM mode other than during scheduled programming events.
  • Implement change management procedures for changes to key position. Audit current key state regularly.
  • Use a unidirectional gateway rather than bidirectional network connections for any applications that depend on the data provided by the SIS.
  • Implement strict access control and application whitelisting on any server or workstation endpoints that can reach the SIS system over TCP/IP.
  • Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

Appendix: Technical Analysis

Figure 4: TRITON Architecture and Attack Scenario

TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite. The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code)and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.

Trilog.exe took one option from the command line, which was a single IP address of the target Triconex device. It did not leverage the underlying TRITON library’s capability for Triconex device discovery, instead an instance of trilog.exe had to be invoked separately for each target controller in the environment. Once invoked, trilog.exe checked the status of the controller, then read the configuration information exposed by the TriStation protocol. If the controller was in a running state, trilog.exe encoded the two payload files inject.bin and imain.bin and passed them to the communication libraries to be appended to the controller’s program memory and execution table.

After payload files were inserted into memory on the Triconex controller, the script initiated a countdown, periodically checking the status of the controller. If an error was detected, the communication library’s method SafeAppendProgramMod attempted to reset the controller to the previous state using a TriStation protocol command. If this failed, trilog.exe attempted to write a small ‘dummy’ program to memory. We assess that this was an anti-forensics technique to hide the presence of the attacker code on the Triconex controller.

Working with the asset owner, Mandiant ran trilog.exe in a lab environment with a valid Triconex controller and discovered a conditional check in the malware that prevented the payload binary from persisting in the environment. Mandiant confirmed that, after correcting patching the attack script to remove this check, the payload binary would persist in controller memory, and the controller would continue to run.

TRITON implements the TriStation protocol, which is the protocol used by the legitimate TriStation application, to configure controllers.

TsHi is the high-level interface created by the malware’s authors that allows the threat actor’s operators to implement attack scripts using the TRITON framework. It exposes functions for both reconnaissance and attack. The functions generally accept binary data from the user, and handle the code ‘signing’ and check sums prior to passing the data to lower level libraries for serialization on to the network.

TsBase, another attacker-written module, contains the functions called by TsHi, which translate the attacker’s intended action to the appropriate TriStation protocol function code. For certain functions, it also packs and pads the data in to the appropriate format.

TsLow is an additional attacker module that implements the TriStation UDP wire protocol. The TsBase library primarily depends on the ts_exec method. This method takes the function code and expected response code, and serializes the commands payload over UDP. It checks the response from the controller against the expected value and returns a result data structure indicating success or a False object representing failure.

TsLow also exposes the connect method used to check connectivity to the target controller. If invoked with no targets, it runs the device discovery function detect_ip. This leverages a “ping” message over the TriStation protocol using IP broadcast to find controllers that are reachable via a router from where the script is invoked.


Filename Hash
trilog.exe MD5: 6c39c3f4a08d3d78f2eb973a94bd7718
imain.bin MD5: 437f135ba179959a580412e564d3107f
inject.bin MD5: 0544d425c7555dc4e9d76b571f31f500
5fc4b0076eac7aa7815302b0c3158076e3569086c4c6aa2f71cd258238440d14 MD5: 0face841f7b2953e7c29c064d6886523
TS_cnames.pyc MD5: e98f4f3505f05bf90e17554fbc97bba9
TsBase.pyc MD5: 288166952f934146be172f6353e9a1f5
TsHi.pyc MD5: 27c69aa39024d21ea109cc9c9d944a04
TsLow.pyc MD5: f6b3a73c8c87506acda430671360ce15
sh.pyc MD5: 8b675db417cc8b23f4c43f3de5c83438


author = “nicholas.carr @itsreallynick”
md5 = “0face841f7b2953e7c29c064d6886523”
description = “TRITON framework recovered during Mandiant ICS incident response”
$python_compiled = “.pyc” nocase ascii wide
$python_module_01 = “__module__” nocase ascii wide
$python_module_02 = “<module>” nocase ascii wide
$python_script_01 = “import Ts” nocase ascii wide
$python_script_02 = “def ts_” nocase ascii wide$py_cnames_01 = “” nocase ascii wide
$py_cnames_02 = “TRICON” nocase ascii wide
$py_cnames_03 = “TriStation ” nocase ascii wide
$py_cnames_04 = ” chassis ” nocase ascii wide

$py_tslibs_01 = “GetCpStatus” nocase ascii wide
$py_tslibs_02 = “ts_” ascii wide
$py_tslibs_03 = ” sequence” nocase ascii wide
$py_tslibs_04 = /import Ts(Hi|Low|Base)[^:alpha:]/ nocase ascii wide
$py_tslibs_05 = /module\s?version/ nocase ascii wide
$py_tslibs_06 = “bad ” nocase ascii wide
$py_tslibs_07 = “prog_cnt” nocase ascii wide

$py_tsbase_01 = “” nocase ascii wide
$py_tsbase_02 = “.TsBase(” nocase ascii wide

$py_tshi_01 = “” nocase ascii wide
$py_tshi_02 = “keystate” nocase ascii wide
$py_tshi_03 = “GetProjectInfo” nocase ascii wide
$py_tshi_04 = “GetProgramTable” nocase ascii wide
$py_tshi_05 = “SafeAppendProgramMod” nocase ascii wide
$py_tshi_06 = “.TsHi(” ascii nocase wide

$py_tslow_01 = “” nocase ascii wide
$py_tslow_02 = “print_last_error” ascii nocase wide
$py_tslow_03 = “.TsLow(” ascii nocase wide
$py_tslow_04 = “tcm_” ascii wide
$py_tslow_05 = ” TCM found” nocase ascii wide

$py_crc_01 = “crc.pyc” nocase ascii wide
$py_crc_02 = “CRC16_MODBUS” ascii wide
$py_crc_03 = “Kotov Alaxander” nocase ascii wide
$py_crc_04 = “CRC_CCITT_XMODEM” ascii wide
$py_crc_05 = “crc16ret” ascii wide
$py_crc_06 = “CRC16_CCITT_x1D0F” ascii wide
$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide

$py_sh_01 = “sh.pyc” nocase ascii wide

$py_keyword_01 = ” FAILURE” ascii wide
$py_keyword_02 = “symbol table” nocase ascii wide

$py_TRIDENT_01 = “inject.bin” ascii nocase wide
$py_TRIDENT_02 = “imain.bin” ascii nocase wide

2 of ($python_*) and 7 of ($py_*) and filesize < 3MB


Author: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer

  • 0

Security Predictions 2018

Category : FireEye

Cyber crime is a business that threat actors take very seriously. Cyber security is its opposing force. To be effective in the battle against cyber attacks, trusted security partners such as FireEye must hold their secrets close.

But to equip the world-at-large against an ever-expanding and continually diversifying collection of threats, some information must be shared freely.

The Security Predictions for 2018 paper offers unique insights into what we can expect from attackers, victim organizations, security vendors and nation-states in the coming year.

  • Who is likely to instigate cyber attacks, and who are their targets
  • What cyber attack techniques are likely to be most popular, and under what conditions
  • Which nation-states are likely to engage in cyber warfare and cyber crime, and their reasons for doing so
  • What options are available to deal with cyber attacks, and which activities will be most effective

Take notes. Take guidance. Take the edge away from the criminals working against you in the coming year.

Download the paper today.

  • 0

The Underground Uber Networks Driven by Russian Hackers

Category : FireEye

Uber’s ride-sharing service has given birth to some of the most creative criminal scams to date, including using a GPS-spoofing app to rip off riders in Nigeria, and even ginning up fake drivers by using stolen identities. Add to those this nefariously genius operation: Cybercriminals, many working in Russia, have created their own illegitimate taxi services for other crooks by piggybacking off Uber’s ride-sharing platform, sometimes working in collaboration with corrupt drivers.

Based on several Russian-language posts across a number of criminal-world sites, this is how the scam works: The scammer needs an emulator, a piece of software which allows them to run a virtual Android phone on their laptop with the Uber app, as well as a virtual private network (VPN), which routes their computer’s traffic through a server in the same city as the rider. The scammer acts, in essence, as a middleman between an Uber driver and the passenger—ordering trips through the Uber app, but relaying messages outside of it. Typically, this fraudulent dispatcher uses the messaging app Telegram to chat with the passenger, who provides pickup and destination addresses. The scammer orders the trip, and then provides the car brand, driver name, and license plate details back to the passenger through Telegram.

In one Russian-language crime-forum post, a scammer says their service runs in some 20 cities, including Moscow and St. Petersburg, as well as Kiev in Ukraine and Minsk in Belarus; another thread suggests the service has been used in New York and Portugal as well. In some cases, the scam middleman will use an Uber promotional code or voucher for a free or discounted ride—meaning they’d just pocket whatever fee charged to the passenger. In another variation of the scheme, some scammers are working with drivers to split profits—one post explicitly says the scammer cooperates with drivers.

“Presumably, this service would operate similarly to other money laundering schemes, in which the service provider would use compromised payment credentials to cover the cost of the Uber ride for a customer, who would pay him/her the discounted rate,” David S. Mainor, who manages financial-crime analysis at cybersecurity firm FireEye, told The Daily Beast.

Regardless, the passenger pays the scammer through the Russian service Qiwi, according to two posts on Russian-language crime forums, although other schemes may use Yandex.Money or Sberbank, judging by another post. If the payment is late, one scammer writes they will cancel the trip, “usually in the middle of the ring road =).”

And the prices are cheap. One scammer is offering four hours of UberX for 600 rubles, or just over $10, and the same amount of time in an UberBlack for 1,000 rubles, or $17. On another Russian crime site, a different fraudster offers more short-time rides, with up to 40 minutes costing 200 rubles—just $3. That scammer will also redirect the driver’s call to the passenger’s own phone for an extra 80 cents.

Obviously, this is not the most profitable scam in the world. But it still shows the ingenuity of fraudsters determined to squeeze whatever profit they can out of tech services, and the idea is seemingly to build a business, albeit an illegitimate one, over time, rather than pulling a quick, one-off scam. One guide suggests marketing the scheme to students, or people who don’t want to wait for the subway, and posting adverts on VK, Russia’s version of Facebook. It also recommends giving away the first trip for free, so as to build a loyal customer base.

Customers don’t necessarily have to ride in the Ubers either; one apparently satisfied user says they like to use Ubers as “couriers,” although it’s not clear what exactly the person may have been transporting.  Some scammers have even tried to automate much of the process, by setting up a bot to handle messages instead of having a human relay them through Telegram.

“Everything is easy and accessible at any time of the day,” writes that fraudster, whose avatar includes a cartoon of a taxi. The bot has not always worked as intended though, judging by some responses to the post. Earlier this year, the scammer offered a promotional code that when typed into the bot would offer a free ride, and another of their posts says this service uses Yandex.Taxi, a kind of Russian Uber alternative.

“Currently, actors tend to focus on Uber more than other ride-sharing services, likely due to the prevalence of Uber in the global ride-sharing market; however, other such comparable services, such as Lyft, share similar risk profiles,” Mainor from FireEye added.

Uber spokesperson Melanie Ensign told The Daily Beast, after being shown a screenshot for one of the illegitimate Uber services, “We have multiple detection and prevention measures in place for this type of fraud, including multi-factor authentication for suspicious logins either at the time of login or at the time a trip is requested.  “Our anti-fraud team also uses machine-learning models and pattern detection to identify fake accounts created with stolen credit cards and routinely deactivate fraudulent actors. In some cases, we’re able to proactively refund riders when we detect fraudulent activity, but they can also report issues to our team inside the Uber app for investigation. Additionally, we have a specialized team of fraud investigators who actively monitor online forums where these services are advertised,” she added.

Not everything has been smooth sailing for these scammers. A number of customers have complained of sloppy service, and, particularly at the start of the year, multiple users said Uber had somehow clamped down on the practice. But an apparently happy customer left a positive review on one related thread just last month.

At the end of one of the online advertisements, the scammer writes, “Enjoy your trips!”

Source: The Daily Beast


  • 0

FireEye Autumn Demo Series

Category : FireEye

Innovative FireEye technologies continue to set the standard for cyber security. Now you can see how simple and effective these solutions are.

The FireEye Autumn Demo Series provides a firsthand experience of our new security operations platform and recent major enhancements to both endpoint and email solutions.

These 15-minute live demos, followed by Q&A sessions, are delivered by seasoned FireEye engineers.

Solution Demo Date Time
Email Security Every Tuesday 12 p.m. ET,
9 a.m. PT
Endpoint Security Every Wednesday 12 p.m. ET,
9 a.m. PT
FireEye Helix Every Thursday 12 p.m. ET,
9 a.m. PT

Reserve a spot for your preferred demo today.

  • 0

Tomorrow’s Endpoint Protection Platforms

Category : FireEye

Why common endpoint security can’t beat modern threats

Although endpoint protection platforms (EPP) continue to rely on the decades-old technology that was part of their original design, cyber threats are forcing a change. You cannot afford to settle for standard endpoint security products.

As attack methodologies have evolved, endpoint security has continued to adapt based on several insights:

  • The static, reactive approach of signature-based security and machine learning programming are no longer sufficient.
  • Encryption, vulnerability assessment and data loss prevention (DLP) capabilities add value, but don’t close the security gap.
  • Comprehensive visibility, intelligence, behavior analysis and automation are critical to the future of endpoint security.

The FireEye whitepaper, “Tomorrow’s Endpoint Protection Platforms,” discusses how EPPs are changing, and explains what EPP capabilities might be best for your needs.

  • 0

The Devious Netflix Phish That Just Won’t Die

Category : FireEye

THE EMAIL HITS  your inbox with an urgent warning: Your Netflix account has been suspended, due to a problem with your billing information. It offers a link, which takes you to what looks very much like a Netflix landing page. It’s not. Instead, it’s a phishing scam that collects extensive personal data on victims. But as with all of the most pernicious phishes, the problem with the Netflix phish isn’t just its convincing look—it’s that whoever’s behind it has found new ways to bypass spam filters over and over again.

While the Netflix phish has garnered recent headlines, it dates back at least to January, when threat researchers at the security firm FireEye first detected it. It prompts victims to type in their username and password, and then presents a form to update their billing information (things like full name, date of birth, address, and phone number). After that, another form asks them to validate their payment method by entering their credit card info. Some versions of the phish even ask for a Social Security number.

Deep Deception

As with many social engineering attacks, its outward simplicity helps ensnare potential victims. Underneath that exterior, though, researchers who have tracked the campaign say that it uses a clever combination of defense measures to make it harder for spam filters, antivirus programs, and phishing scanners to flag.

Richard Hummel, the manager of technical analysis at FireEye, says that he still sees attackers using some of the same subject lines for Netflix phishing emails that they did almost a year ago. “They’re not even varying their tactics all that much,” he says. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”

While the Netflix phish is outwardly straightforward, it does include a lot of clever touches. It replicates a lot the HTML Netflix uses on its actual website, to make the fake pages look as genuine as possible. The login pages even include autofilling backsplashes that promote Netflix original content. The phishing emails also use a template system, to personalize the messages by autofilling each victim’s name at the beginning.

The evasive maneuvers go even deeper. Some versions of the campaign encrypt user-side HTML in the phishing pages, so scanners can’t inspect the code for malicious components. The phishing pages also have a defense in place where they won’t load for IP addresses that trace back to known internet security monitoring groups, like Google, or the anti-phishing initiative PhishTank. All of this makes it easier for phishers to run the Netflix scam again and again, because their infrastructure hasn’t been flagged on security and spam blacklists.

Most importantly, the Netflix phishers use a well-known technique of compromising legitimate web accounts or web servers, and hosting their phishing pages off of those services. By hosting the pages on sites that have been around for a while and weren’t previously malicious, the attackers buy time on URLs that have credibility (known online as a good reputation score) and won’t be flagged by security scanners. Analysts at the email scanning and security group MailGuard found that in this go-around the Netflix phishers have been using compromised WordPress blogs to host their malicious pages.

This type of approach can be used to launch phishing attacks based off of all different brands and services. Aaron Higbee, CTO of the phishing defense firm PhishMe, says the company has tracked the same types of phishing campaign infrastructure to impersonate brands like Chase, Comcast, TD Bank, and Wells Fargo. And he notes that the system can perpetuate itself. Some of the stolen credentials attackers get out of the scam may include reused credentials for accounts and web servers that the phishers can then compromise and use to launch more attacks.

Safety Steps

The good news is that users can protect themselves by following the standard advice about phishing. To confirm who really sent an email, click on the downward arrow next to the sender’s name in Gmail. It’ll expand to show the full info. Hover over any links to confirm that they lead to the URLs they claim. Make account changes by navigating, on your own, to a site itself, and log in there instead of going through an email link. Don’t reuse passwords. And view any emails that push you to act right away with suspicion.

“Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information,” Netflix said in a statement to WIRED.

There’s a lot at stake. Researchers say that the Netflix phishers also likely sell the victim data they collect to dark-web processors looking for bulk data, credit card numbers, and even just active Netflix accounts that they can resell for a few dollars.

“There are a number of motives here,” Higbee says. “And I know I’m going to sound like a broken record, but if your email address password is the same as your entertainment passwords you’re really setting yourself up for disaster. Your email address password needs to be different even if you don’t vary all your passwords. That alone will prevent a lot of damage.”

You might as well commit those tips to memory—especially with an attack like the Netflix phish that’s been around for months, and isn’t slowing down.


Author: Lily Hay Newman

  • 0

2017 – An active year for APT groups

Category : FireEye

From cyber criminals who seek personal financial information and intellectual property to state-sponsored cyber attacks designed to steal data and compromise infrastructure, today’s advanced persistent threats (APTs) can sidestep cyber security efforts and cause serious damage to your organization.
2017 is already one of the most prolific years in terms of APT activity. Indeed, since the beginning of the year, there have been several examples of major cyber attacks.

Join us for a live webinar as we discuss:
– The most severe cybercriminal activities of 2017
– The motivations, approaches and TTPs of the threat groups behind these attacks
– Insights into APT10, APT32 & APT33

Register for free

  • 0

BACKSWING – Pulling a BADRABBIT Out of a Hat

Category : FireEye

Executive Summary

On Oct. 24, 2017, coordinated strategic web compromises started to distribute BADRABBIT ransomware to unwitting users. FireEye appliances detected the download attempts and blocked our user base from infection. During our investigation into the activity, FireEye identified a direct overlap between BADRABBIT redirect sites and sites hosting a profiler we’ve been tracking as BACKSWING. We’ve identified 51 sites hosting BACKSWING and four confirmed to drop BADRABBIT. Throughout 2017, we observed two versions of BACKSWING and saw a significant increase in May with an apparent focus on compromising Ukrainian website. The pattern of deployment raises the possibility of a strategic sponsor with specific regional interests and suggest a motivation other than financial gain. Given that many domains are still compromised with BACKSWING, we anticipate that there is a risk that they will be used for future attacks.

Incident Background

Beginning on Oct. 24 at 08:00 UTC, FireEye detected and blocked attempts to infect multiple clients with a drive-by download masquerading as a Flash Update (install_flash_player.exe) that delivered a wormable variant of ransomware. Users were redirected to the infected site from multiple legitimate sites (e.g. http://www.mediaport[.]ua/sites/default/files/page-main.js) simultaneously, indicating a coordinated and widespread strategic web compromise campaign.

FireEye network devices blocked infection attempts at over a dozen victims primarily in Germany, Japan, and the U.S. until Oct. 24 at 15:00 UTC, when the infection attempts ceased and attacker infrastructure – both 1dnscontrol[.]com and the legitimate websites containing the rogue code – were taken offline.

BACKSWING Framework Likely Connected to BADRABBIT Activity

Strategic web compromises can have a significant amount of collateral targeting. It is common for threat actors to pair a strategic web compromise with profiling malware to target systems with specific application versions or victims. FireEye observed that BACKSWING, a malicious JavaScript profiling framework, was deployed to at least 54 legitimate sites starting as early as September 2016.  A handful of these sites were later used to redirect to BADRABBIT distribution URLs.

FireEye iSIGHT Intelligence tracks two distinct version of BACKSWING that contain the same functionality, but differ in their code styles. We consider BACKSWING a generic container used to select attributes of the current browsing session (User-Agent, HTTP Referrer, Cookies, and the current domain). This information is then relayed to a “C2” sometimes to referred to as a “receiver.” If the receiver is online, the server returns a unique JSON blob to the caller which is then parsed by the BACKSWING code (Figure 1).

Figure 1: BACKSWING Reply

BACKSWING anticipates the JSON blob to have two fields, “InjectionType” (expected to be an integer) and “InjectionString” (expected to be string containing HTML content). BACKSWING version 1 (Figure 2) explicitly handles the value of “InjectionType” into two code paths:

  • If InjectionType == 1 (Redirect browser to URL)
  • If InjectionType != 1 (render HTML into the DOM)

Figure 2: Backswing Version 1

In Version 2 (Figure 3), BACKSWING retains similar logic, but generalizes the InjectionString to be handled strictly to render the reply into the DOM.

Figure 3: BACKSWING Version 2

Version 1:

  • FireEye observed the first version of BACKSWING in late 2016 on websites belonging to a Czech Republic hospitality organization in addition to a government website in Montenegro. Turkish-tourism websites were also injected with this profiler.
  • BACKSWING v1 was commonly injected in cleartext to affected websites, but over time, actors began to obfuscate the code using the open-source Dean-Edwards Packer and injected it into legitimate JavaScript resources on affected websites. Figure 4 shows the injection content.
  • Beginning in May 2017, FireEye observed a number of Ukrainian websites compromised with BACKSWING v1, and in June 2017, began to see content returned from BACKSWING receivers.
  • In late June 2017, BACKSWING servers returned an HTML div element with two distinct identifiers. When decoded, BACKSWING v1 embedded two div elements within the DOM with values of 07a06a96-3345-43f2-afe1-2a70d951f50a and 9b142ec2-1fdb-4790-b48c-ffdf22911104. No additional content was observed in these replies.

Figure 4: BACKSWING Injection Content

Version 2:

  • The earliest that FireEye observed BACKSWING v2 occurred on Oct. 5, 2017 across multiple websites that previously hosted BACKSWING v1
  • BACKSWING v2 was predominantly injected into legitimate JavaScript resources hosted on affected websites; however, some instances were injected into the sites’ main pages
  • FireEye observed limited instances of websites hosting this version were also implicated in suspected BADRABBIT infection chains (detailed in Table 1).

Malicious profilers allow attackers to obtain more information about potential victims before deploying payloads (in this case, the BADRABBIT “flash update” dropper). While FireEye has not directly observed BACKSWING delivering BADRABBIT, BACKSWING was observed on multiple websites that were seen referring FireEye customers to 1dnscontrol[.]com, which hosted the BADRABBIT dropper.

Table 1 highlights the legitimate sites hosting BACKSWING that were also used as HTTP referrers for BADRABBIT payload distribution.

Compromised Website BACKSWING Receiver BACKSWING Version Observed BADRABBIT Redirect
blog.fontanka[.]ru Not Available Not Available 1dnscontrol[.]com[.]jp http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.fontanka[.]ru http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.mediaport[.]ua http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.mediaport[.]ua http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com
www.smetkoplan[.]com http://172.97.69[.]79/i/ v1 1dnscontrol[.]com
www.smetkoplan[.]com http://38.84.134[.]15/Core/Engine/Index/default v1 1dnscontrol[.]com
www.smetkoplan[.]com http://185.149.120[.]3/scholargoogle/ v2 1dnscontrol[.]com

Table 1: Sites hosting BACKSWING profilers and redirected users to a BADRABBIT download site

The compromised websites listed in Table 1 demonstrate one of the first times that we have observed the potential weaponization of BACKSWING. FireEye is tracking a growing number of legitimate websites that also host BACKSWING underscoring a considerable footprint the actors could leverage in future attacks. Table 2 provides a list of sites also compromised with BACKSWING

Compromised Website BACKSWING Receiver BACKSWING Version
akvadom.kiev[.]ua http://172.97.69[.]79/i/ v1[.]ua http://dfkiueswbgfreiwfsd[.]tk/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://172.97.69[.]79/i/ v1[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
Evrosmazki[.]ua http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://172.97.69[.]79/i/ v1
forum.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
grandua[.]ua http://172.97.69[.]79/i/ v1
grupovo[.]bg http://185.149.120[.]3/scholargoogle/ v2
hr.pensionhotel[.]com http://38.84.134[.]15/Core/Engine/Index/default v1[.]ua http://172.97.69[.]79/i/ v1[.]ua http://185.149.120[.]3/scholargoogle/ v2
icase.lg[.]ua http://172.97.69[.]79/i/ v1
montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
montenegro-today[.]ru http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://172.97.69[.]79/i/ v1
most-dnepr[.]info http://185.149.120[.]3/scholargoogle/ v2
obereg-t[.]com http://172.97.69[.]79/i/ v1
sarktur[.]com http://104.244.159[.]23:8080/i v1
sarktur[.]com http://38.84.134[.]15/Core/Engine/Index/default v1[.]ua http://172.97.69[.]79/i/ v1
sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
vgoru[.]org http://172.97.69[.]79/i/ v1
www.2000[.]ua http://172.97.69[.]79/i/ v1
www.444android[.]com http://172.97.69[.]79/i/ v1
www.444android[.]com http://91.236.116[.]50/Core/Engine/Index/two v1[.]jp http://38.84.134[.]15/Core/Engine/Index/default v1
www.alapli.bel[.]tr http://91.236.116[.]50/Core/Engine/Index/two v1
www.ambilet[.]ro http://185.149.120[.]3/scholargoogle/ v2
www.andronova[.]net http://91.236.116[.]50/Core/Engine/Index/two v1[.]ua http://172.97.69[.]79/i/ v1
www.dermavieskin[.]com https://bodum-online[.]gq/Core/Engine/Index/three v1
www.evrosmazki[.]ua http://172.97.69[.]79/i/ v1
www.hercegnovi[.]me http://38.84.134[.]15/Core/Engine/Index/two v1
www.len[.]ru http://185.149.120[.]3/scholasgoogle/ v2
www.montenegro-today[.]com http://38.84.134[.]15/Core/Engine/Index/two v1
www.montenegro-today[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.otbrana[.]com http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]be http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]cz http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]de http://172.97.69[.]79/i/ v1
www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]dk http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]nl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]pl http://38.84.134[.]15/Core/Engine/Index/default v1
www.pensionhotel[.]ro http://46.20.1[.]98/scholargoogle/ v1
www.pensionhotel[.]sk http://38.84.134[.]15/Core/Engine/Index/default v1
www.sinematurk[.]com http://91.236.116[.]50/Core/Engine/Index/two v1
www.t.ks[.]ua http://172.97.69[.]79/i/ v1
www.teknolojihaber[.]net http://91.236.116[.]50/Core/Engine/Index/two v1
www.uscc[.]ua http://172.97.69[.]79/i/ v1
www.vertizontal[.]ro http://91.236.116[.]50/Core/Engine/Index/three v1
www.visa3777[.]com http://172.97.69[.]79/i/ v1
www.www.pensionhotel[.]de http://38.84.134[.]15/Core/Engine/Index/default v1

Table 2: Additional sites hosting BACKSWING profilers and associated receivers

The distribution of sites compromised with BACKSWING suggest a motivation other than financial gain. FireEye observed this framework on compromised Turkish sites and Montenegrin sites over the past year. We observed a spike of BACKSWING instances on Ukrainian sites, with a significant increase in May 2017. While some sites hosting BACKSWING do not have a clear strategic link, the pattern of deployment raises the possibility of a strategic sponsor with specific regional interests.

BADRABBIT Components

BADRABBIT is made up of several components, as described in Figure 5.

Figure 5: BADRABBIT components

Install_flashPlayer.exe (MD5: FBBDC39AF1139AEBBA4DA004475E8839)

The install_flashplayer.exe payload drops infpub.dat (MD5: C4F26ED277B51EF45FA180BE597D96E8) to the C:\Windows directory and executes it using rundll32.exe with the argument C:\Windows\infpub.dat,#1 15. This execution format mirrors that of EternalPetya.

infpub.dat (MD5: 1D724F95C61F1055F0D02C2154BBCCD3)

The infpub.dat binary is the primary ransomware component responsible for dropping and executing the additional components shown in the BADRABBIT Components section. An embedded RSA-2048 key facilitates the encryption process, which uses an AES-128 key to encrypt files. The extensions listed below are targeted for encryption:

The following directories are ignored during the encryption process:

  • \Windows
  • \Program Files
  • \ProgramData
  • \AppData

The malware writes its ransom message to the root of each affected drive with the filename Readme.txt.

The inpub.dat is capable of performing lateral movement via WMI or SMB. Harvested credentials provided by an embedded Mimikatz executable facilitate the infection of other systems on the network. The malware contains lists of common usernames, passwords, and named pipes that it can use to brute-force other credentials for lateral movement.

If one of four Dr.Web antivirus processes is present on the system, file encryption is not performed. If the malware is executed with the “-f” command line argument, credential theft and lateral movement are bypassed.

dispci.exe (MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)

The dispci.exe binary interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader. If one of three McAfee antivirus processes is running on the system, dispci.exe is written to the %ALLUSERSPROFILE% directory; otherwise, it is written to C:\Windows. The sample is executed on system start using a scheduled task named rhaegal.

cscc.dat (MD5s: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A)

A 32 or 64-bit DiskCryptor driver named cscc.dat facilitates disk encryption. It is installed in the :\Windows directory as a kernel driver service named cscc.

Mimikatz usage (MD5s: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977)

A 32 or 64-bit Mimikatz variant is written a temporary file (e.g., 651D.tmp) in the C:\Windows directory and executed by passing a named pipe string (e.g., \\.\pipe\{8A93FA32-1B7A-4E2F-AAD2-76A095F261DC}) as an argument. Harvested credentials are passed back to infpub.dat via the named pipe, similar to EternalPetya.

BADRABBIT Compared to EternalPetya

The infpub.dat contains a checksum algorithm like the one used in EternalPetya. However, the initial checksum value differs slightly: 0x87654321 in infpub.dat, 0x12345678 in EternalPetya. infpub.dat also supports the same command line arguments as EternalPetya with the addition of the “-f” argument, which bypasses the malware’s credential theft and lateral movement capabilities.

Like EternalPetya, infpub.dat determines if a specific file exists on the system and will exit if found. The file in this case is cscc.dat. infpub.dat contains a wmic.exe lateral movement capability, but unlike EternalPetya, does not contain a PSEXEC binary used to perform lateral movement.

Both samples utilize the same series of wevtutil and fsutil commands to perform anti-forensics:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %SYSTEMDRIVE%

FireEye Detections

Product Detection Names
NX,EX,AX,FX,ETP malware.binary.exe, Trojan.Ransomware.MVX, Exploit.PossibleWaterhole.BACKSWING
HX BADRABBIT RANSOMWARE (FAMILY), Gen:Heur.Ransom.BadRabbit.1, Gen:Variant.Ransom.BadRabbit.1
TAP WINDOWS METHODOLOGY [Scheduled Task Created], WINDOWS METHODOLOGY [Service Installation], WINDOWS METHODOLOGY [Audit Log Cleared], WINDOWS METHODOLOGY [Rundll32 Ordinal Arg], WINDOWS METHODOLOGY [Wevtutil Clear-log], WINDOWS METHODOLOGY [Fsutil USN Deletejournal], WINDOWS METHODOLOGY [Multiple Admin Share Failures]

We would like to thank Edward Fjellskål for his assistance with research for this blog.


File: Install_flashPlayer.exe
Hash: FBBDC39AF1139AEBBA4DA004475E8839
Description: install_flashplayer.exe drops infpub.dat

File: infpub.dat
Hash: 1D724F95C61F1055F0D02C2154BBCCD3
Description: Primary ransomware component

File: dispci.exe
Hash: B14D8FAF7F0CBCFAD051CEFE5F39645F
Description: Interacts with the DiskCryptor driver (cscc.dat) to install the malicious bootloader, responsible for file decryption.

File: cscc.dat
Hash: B4E6D97DAFD9224ED9A547D52C26CE02 or EDB72F4A46C39452D1A5414F7D26454A
Description: 32 or 64-bit DiskCryptor driver

File: <rand_4_hex>.tmp
Hash: 37945C44A897AA42A66ADCAB68F560E0 or 347AC3B6B791054DE3E5720A7144A977
Description: 32 or 64-bit Mimikatz variant

File: Readme.txt
Hash: Variable
Description: Ransom note

Command: \system32\rundll32.exe C:\Windows\infpub.dat,#1 15
Description: Runs the primary ransomware component of BADRABBIT. Note that “15” is the default value present in the malware and may be altered by specifying a different value on command line when executing install_flash_player.exe.

Command: %COMSPEC% /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR “<%COMSPEC%> /C Start \”\” \”<dispci_exe_path>\” -id
Description: Creates the rhaegal scheduled task

Command: %COMSPEC% /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR “%WINDIR%\system32\shutdown.exe /r /t 0 /f” /ST <HH:MM:00>
Description: Creates the drogon scheduled task

Command: %COMSPEC% /c schtasks /Delete /F /TN drogon
Description: Deletes the drogon scheduled task

Command: %COMSPEC% /c wswevtutil cl Setup & wswevtutil cl System & wswevtutil cl Security & wswevtutil cl Application & fsutil usn deletejournal /D <current_drive_letter>:
Description: Anti-forensics

Scheduled Task Name: rhaegal
Scheduled Task Run: “<%COMSPEC%> /C Start \”\” \”<dispci_exe_path>\” -id <rand_task_id> && exit”
Description: Bootloader interaction

Scheduled Task Name: drogon
Scheduled Task Run: “%WINDIR%\system32\shutdown.exe /r /t 0 /f”
Description: Forces a reboot

Service Name: cscc
Service Display Name: Windows Client Side Caching DDriver
Service Binary Path: cscc.dat

Embedded usernames from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
other user
Embedded passwords from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)
Embedded pipe names from infpub.dat (1D724F95C61F1055F0D02C2154BBCCD3)

Yara Rules

rule FE_Hunting_BADRABBIT {
author=”ian.ahl @TekDefense & nicholas.carr @itsreallynick”
md5 = “b14d8faf7f0cbcfad051cefe5f39645f”
// Messages
$msg1 = “Incorrect password” nocase ascii wide
$msg2 = “Oops! Your files have been encrypted.” ascii wide
$msg3 = “If you see this text, your files are no longer accessible.” ascii wide
$msg4 = “You might have been looking for a way to recover your files.” ascii wide
$msg5 = “Don’t waste your time. No one will be able to recover them without our” ascii wide
$msg6 = “Visit our web service at” ascii wide
$msg7 = “Your personal installation key#1:” ascii wide
$msg8 = “Run DECRYPT app at your desktop after system boot” ascii wide
$msg9 = “Password#1” nocase ascii wide
$msg10 = “caforssztxqzf2nm.onion” nocase ascii wide
$msg11 = /partition (unbootable|not (found|mounted))/ nocase ascii wide

// File references
$fref1 = “C:\\Windows\\cscc.dat” nocase ascii wide
$fref2 = “\\\\.\\dcrypt” nocase ascii wide
$fref3 = “Readme.txt” ascii wide
$fref4 = “\\Desktop\\DECRYPT.lnk” nocase ascii wide
$fref5 = “dispci.exe” nocase ascii wide
$fref6 = “C:\\Windows\\infpub.dat” nocase ascii wide
$meta1 = “” nocase ascii wide
$meta2 = “dispci.exe” nocase ascii wide
$meta3 = “GrayWorm” ascii wide
$meta4 = “viserion” nocase ascii wide
$com1 = “ComSpec” ascii wide
$com2 = “\\cmd.exe” nocase ascii wide
$com3 = “schtasks /Create” nocase ascii wide
$com4 = “schtasks /Delete /F /TN %ws” nocase ascii wide
(uint16(0) == 0x5A4D)
(8 of ($msg*) and 3 of ($fref*) and 2 of ($com*))
(all of ($meta*) and 8 of ($msg*))

author = “muhammad.umair”
md5 = “fbbdc39af1139aebba4da004475e8839”
rev = 1
$api1 = “GetSystemDirectoryW” fullword
$api2 = “GetModuleFileNameW” fullword
$dropped_dll = “infpub.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\\Windows\\%ws,#1 %ws” ascii fullword wide
$extract_seq = { 68 ?? ?? ?? ?? 8D 95 E4 F9 FF FF 52 FF 15 ?? ?? ?? ?? 85 C0 0F 84 C4 00 00 00 8D 85 A8 ED FF FF 50 8D 8D AC ED FF FF E8 ?? ?? ?? ?? 85 C0 0F 84 AA 00 00 00 }
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them

author = “muhammad.umair”
md5 = “1d724f95c61f1055f0d02c2154bbccd3”
rev = 1
$api1 = “WNetAddConnection2W” fullword
$api2 = “CredEnumerateW” fullword
$api3 = “DuplicateTokenEx” fullword
$api4 = “GetIpNetTable”
$del_tasks = “schtasks /Delete /F /TN drogon” ascii fullword wide
$dropped_driver = “cscc.dat” ascii fullword wide
$exec_fmt_str = “%ws C:\\Windows\\%ws,#1 %ws” ascii fullword wide
$iter_encrypt = { 8D 44 24 3C 50 FF 15 ?? ?? ?? ?? 8D 4C 24 3C 8D 51 02 66 8B 31 83 C1 02 66 3B F7 75 F5 2B CA D1 F9 8D 4C 4C 3C 3B C1 74 07 E8 ?? ?? ?? ?? }
$share_fmt_str = “\\\\%ws\\admin$\\%ws” ascii fullword wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them

author = “muhammad.umair”
md5 = “37945c44a897aa42a66adcab68f560e0”
rev = 1
$api1 = “WriteProcessMemory” fullword
$api2 = “SetSecurityDescriptorDacl” fullword
$api_str1 = “BCryptDecrypt” ascii fullword wide
$mimi_str = “CredentialKeys” ascii fullword wide
$wait_pipe_seq = { FF 15 ?? ?? ?? ?? 85 C0 74 63 55 BD B8 0B 00 00 57 57 6A 03 8D 44 24 1C 50 57 68 00 00 00 C0 FF 74 24 38 4B FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 75 3B }
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 500KB and all of them

author = “muhammad.umair”
md5 = “b14d8faf7f0cbcfad051cefe5f39645f”
rev = 1
$api1 = “CryptAcquireContextW” fullword
$api2 = “CryptEncrypt” fullword
$api3 = “NetWkstaGetInfo” fullword
$decrypt_seq = { 89 5D EC 78 10 7F 07 3D 00 00 00 01 76 07 B8 00 00 00 01 EB 07 C7 45 EC 01 00 00 00 53 50 53 6A 04 53 8B F8 56 89 45 FC 89 7D E8 FF 15 ?? ?? ?? ?? 8B D8 85 DB 74 5F }
$msg1 = “Disk decryption progress…” ascii fullword wide
$task_fmt_str = “schtasks /Create /SC ONCE /TN viserion_%u /RU SYSTEM /TR \”%ws\” /ST %02d:%02d:00″ ascii fullword wide
$tok1 = “\\\\.\\dcrypt” ascii fullword wide
$tok2 = “C:\\Windows\\cscc.dat” ascii fullword wide
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 150KB and all of them


Author:  Barry Vengerik, Ben Read, Blog, Brian Mordosky, Christopher Glyer, Ian Ahl, Latest Blog Posts, Matt Williams, Michael Matonis, Nick Carr

  • 0

Breach Resilience

Category : FireEye

Join Jeff Berg, Sr. Manager of Cyber Threat Intelligence, and Brad Bell, Mandiant Principal Consultant, as they share the role of cyber threat intelligence in strategic security consulting services and why services based on compliance-based best practices and industry standards may not be an effective way to protect your organization against a rapidly evolving threat landscape.

Key takeaways:

• The role cyber threat intelligence plays in strategic security consulting services
• Why services rooted in compliance-based best practices and industry standards aren’t effective
• Case studies where different types of intelligence added value to service portfolio


  • 0

Devising a Suitable End State of Your CTI Program

Category : FireEye

The shift to an intelligence-led security program can seem daunting. When implementing Cyber Threat Intelligence (CTI) capabilities, there may be a degree of uncertainty across the organization. We’ve seen this happen many times with client teams who initially were not cyber security savvy; however, after the adjustment period, when CTI is fully integrated into their technology and business processes, we continuously see that customers are satisfied with the results.

While managing this shift is challenging, it is not insurmountable. To be successful, it’s important to have a vision for the end state of your program. This vision will help to plot the planned shift, define its true value, and identify opportunities afforded by those who carry out implementation.

When defining a program’s vision, it is important to cover the following four high-level areas:

  • Mission & Strategy: Define a clear mission that enables communications and justifies go-forward action items. Ultimately, focusing on the enhanced ability to manage risk within the organization using a requirements-based intelligence approach is crucial. Establishing the expected resulting capabilities ensures the end-state business objectives, goals, and outcomes are clearly identified and agreed upon.
  • Implementation Roadmap: Employ a clear game plan that addresses the changes in people, processes, and technologies. A smart roadmap provides guidance on order of events and scale of effort required to execute properly. This roadmap will also enable communication of budgetary requirements to senior leadership over the course of the program’s buildout.
  • Conceptual Organizational Design: Construct an end-state organizational design aligned with the mission, approved by executives, and agreed to by peers. This will ease the creation and integration of new teams and transition of any existing ones. While the actual end state may play out differently, the buy-in achieved at the onset of your program evolution will keep your major players moving in the right direction.
  • Metrics: Decipher a key set of metrics that will be used to evaluate the success of your program. This will be critical when determining whether or not the end state is a success, and will also enable you to easily identify wins as the program begins to take shape. Metrics should evaluate the individuals responsible for carrying out the mission, the intelligence sources, the technology supporting the program, and the program’s overall health. The true value of intelligence can be complex to assess; however, the proper level of granularity can help point out if the value is being delivered, and where any breakdowns may transpire and are occurring.

All said, the success of an operational transformation is truly grounded in the strategic legwork done before execution begins. Proper planning ensures that key stakeholders and senior leaders are in agreement with respect to the direction of the overall security operations, as well as the expected value provided. This in turn will motivate executives and other key stakeholders to help shepherd the program through its pending shifts, and into a position where everyone in the organization will see its true potential.

Visit our Cyber Threat Intelligence Services homepage for more information on how Mandiant can help your organization improve its threat intelligence capabilities.


Author: Jeff Compton, Jeff Berg