The FLARE team’s newest open-source tool, capa, provides a framework for the community to encode, recognize and share behaviors that we've seen in malware.

FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and  published the technical details of this vulnerability  as soon as a patch was made available.

We analyze a variant of INDUSTROYER, a well-known piece of attack-oriented ICS malware.

In this blog, learn about a simple debugging tactic for creating “save points” during iterative remote debugging of complex multi-stage samples that execute code in heap memory at non-deterministic addresses.

On a Windows host there is more than one way for a program to communicate across the internet. When reverse engineering a piece of malware it is of critical importance to understand what API is being used and how it works so that you may gain an understanding of the data sent and received as well as command structure and internal protocol if applicable. The choice of networking API also effects how you craft your indicators (more on this later). I break Windows Malware Command and Control communications into four API categories: Sockets, WinInet, URLMon and COM. The primary focus of this article is COM, since it is the rarest, least understood and most difficult to reverse engineer.

We introduce a machine learning model that learns to rank strings based on their relevance for malware analysis.

The concept of "packing" or "crypting" a malicious program is widely popular among threat actors looking to bypass or defeat analysis by static and dynamic analysis tools.

The Speakeasy framework provides an easy-to-use, flexible, and powerful programming interface that enables analysts to solve complex problems such as unpacking malware.

An analysis of FireEye’s deep learning-based malware classifier.