Fireeye has had some red team tooling stolen by an alledged APT (Advanced Persistent Threat). In response Fireeye have released various signatures so that the wider security community can detect and alert against the signatures of their current attack tools.
In this post, we analyze their possible redteam toolkit.
A highly sophisticated state-sponsored adversary stole FireEye Red Team tools. Because we believe that an adversary possesses these tools, and we do not know whether the attacker intends to use the stolen tools themselves or publicly disclose them, FireEye is releasing hundreds of countermeasures with this blog post to enable the broader security community to protect themselves against these tools.
Location of the Countermeasures
What is in the toolkit?
- Custom RAT .NET?
- Custom RAT GoLang (Windows)
- Custom RAT Golang (OSX)
- Custom RAT Python (Linux/OSX)
Commercial & Open source tools
From the signatures we can observe that the Team used Cobalt Strike, and used several profiles to obfuscated their beacons and c2 traffic
Profiles included masquarading as:
- NewYork Times
- USA Today
and support for various tooling (Rebeus, GoRAT).
From analysing their Yara file we can discover the following tooling:
Possible goRAT source-code:
The information here may not be entirely accurate, or it could be argued that the stolen code was heavily modified from its original source-base. The work here is merely guesswork, based on the evidence and signatures provided publically by Fireeye. Netscylla gives no guarantee to the accuracy of the guestimates and findings of this post.
Hopefully in the next few days, Fireeye could provided more details or publically release their tooling, when this happens we will update this post accordingly to represent more accurate findings.