Hancitor uses several capabilities within malicious macros that support malware installation and data theft. These capabilities include leveraging uncommon APIs and obscuring malicious PowerShell commands, tactics that make it a challenge to detect.

FakeNet-NG is a powerful and highly configurable tool that can be used to perform more advanced tasks such as process and traffic filtering, aiding in automatic malware unpacking, security assessment of thick-client applications and many others.

Malvertising occurs when an online advertising network knowingly or unknowingly serves up malicious advertisements on a website.  Malvertisements  are a type of “drive-by” threat that tend to result in users being infected with malware for simply visiting a website. The victims of this threat are often compromised when the malvertisement directs them to an exploit kit (EK) landing page. Depending on the applications running on the user’s system, the EK can successfully load malware into a system without user consent and without tipping the victim off that something suspicious is happening.

Trending Evil is a quarterly publication that reveals the cyber threat actors, malware, and tactics that Mandiant Managed Defense has recently seen on the frontlines and equips you to strengthen your security posture with the defensive actions outlined in every edition.

Mandiant Threat Intelligence has detailed an ongoing cyber-enabled influence campaign we named Ghostwriter. We assess with high confidence that UNC1151, a suspected state-sponsored cyber espionage actor that engages in credential harvesting and malware campaigns, conducts at least some components of Ghostwriter activity.

Mandiant pays special attention to advanced persistent threats (APT) groups that receive direction and support from an established nation state. Like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. Unlike most cyber criminals, APT attackers pursue their objectives over months or years. They adapt to cyber defenses and frequently retarget the same victim. Just because you have APT-linked malware variants in your system doesn't mean that you're an APT target. But your security team should be aware of this list of the most active APT groups and take extra precautions when they detect malware linked to previous APT attacks.

In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack. In mid-November, Mandiant, a FireEye company, responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has responded to multiple incidents at other organizations in the region.

In the five years I have been a part of Mandiant's malware analysis team (now formally known as M-Labs) there have been times when I've had to reverse engineer chunks of shellcode. In this post I will give some background on shellcode import resolution techniques and how to automate IDA markup to allow faster shellcode reverse engineering.

The Mandiant Advanced Practices team recently discovered a new malware family we have named PRIVATELOG and its installer, STASHLOG. In this post, we will share a novel and especially interesting technique the samples use to hide data, along with detailed analysis of both files that was performed with the support of FLARE analysts. We will also share sample detection rules, and hunting recommendations to find similar activity in your environment.

Operating on the front lines every single day, FireEye Mandiant team of incident response consultants handle hundreds of engagements every year, relying on their knowledge and expertise combined with extensive information as well as capabilities provided by dedicated Threat Intelligence and Malware Reverse Engineering functions. Able to intervene from the initial detection to the final resolution of the incident, including investigation and remediation support, Incident Responders rely on advanced and custom tailored endpoint, network and digital forensics technology, able to intervene and operate at large enterprise scale.