A spear-phishing campaign that targets Hong Kong-based media organizations is using Dropbox for its malware communications.

"After analyzing the information that has been made available by affected power companies, researchers, and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine. The SANS ICS team has been coordinating ongoing discussions and providing analysis across multiple international community members and companies. We assess with high confidence based on company statements, media reports, and first-hand analysis that the incident was due to a coordinated intentional attack."

Our adversaries are familiar with the RTF format and the inner workings of Microsoft Word, and can devise obfuscation tricks to evade traditional signature-based detection. Understanding hackers perform obfuscation can in turn help us improve our detection of this type of malware.

The FireEye FLARE team’s newest contribution to the malware analysis community, FLOSS, is an open-source tool to automatically detect, extract, and decode obfuscated strings in Windows Portable Executable files. FLOSS helps fight against malware authors who commonly obfuscate strings in their programs to deter static and dynamic analysis, and can extract strings that are deobfuscated by decoding routines, while recovering stackstrings and obtaining all static strings.

Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY, which leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation.

When a Security Operations Center (SOC) doesn't have the capabilities to detect WMI activity from both a network and endpoint perspective, the lack of visibility can provide threat actors a perfect opening for attacks. Here's how FireEye solves the problem.  

The Innovation and Custom Engineering (ICE) Applied Research team presents the public release of Monitor.app for macOS, a simple GUI application for monitoring common system events on a macOS host. 

APT10 (MenuPass Group), a Chinese cyber espionage group that FireEye has tracked since 2009, has been using new tools in its most recent activity.

In a newly-identified campaign, financially-motivated threat group FIN7 has modified their phishing techniques to implement unique infection and persistence mechanisms.