Neil Armstrong, the corking infinite explorer, 1 time said “research is all most creating novel knowledge.” And of course, amongst cognition nosotros are inward a improve seat to predict, too therefore prepare, for what is yet to come. For this reason, the travel Check Point Research does is invaluable when it comes to translating cognition into improve protection for our customers. Let’s accept a closer hold off how.
In Apr 2017, our squad discovered a weakness inward Microsoft Office 2007, 2010, 2013 too 2016 and, although a patch was released presently after, an exploitation of this vulnerability was lately found inward the wild too is currently existence used to spread a novel malware that drops the information stealing malware, AgentTesla too Loki. These malware’s capabilities include stealing a user’s login data via Google Chrome, Mozilla Firefox, Microsoft Outlook too others, capturing screenshots, recording webcams every bit good every bit enabling the aggressor to install additional malware on infected machines.
However, due to the nature inward which this novel malware is built, using highly evasive obfuscation techniques, most Anti-Virus software has so far been unable to honor it. For although many would live forgiven inward thinking that modern Word documents are to a greater extent than secure than RTF or DOC files, inward the 5th generation of the threat landscape attackers continually try to rest 1 measuring ahead too adapt their tradecraft to bypass everyday figurer software.
How the Infection Occurs
The laid on is launched when a user opens a malicious RTF file, which later starts Microsoft Word. Soon after launching, Word begins the procedure (named ‘svchost’) to opened upwards Microsoft Equation Editor (an application tool used to assist create mathematical equations live inserted into Word documents). In normal circumstances this should live the terminate of the story, nevertheless inward the illustration of AgentTesla, the Equation Editor application takes the odd side past times side measuring of automatically, too highly suspiciously, launching its ain executables too.
What’s more, the executable that it launches (named ‘scvhost.exe’) is strikingly like inward mention to the procedure that launched the Equation Editor itself. It is at this point, when the minute procedure is launched, that a connection to the attacker’s Command too Control (C&C) server is established too the malware is delivered to infect the victim’s computer.
From Theoretical Research to Practical Protection
While this sequence of events is deeply hidden from most Anti-Virus software, thank you lot to the before regain of Microsoft vulnerability CVE-2017-11882, Check Point’s SandBlast Zero-Day Protection was already ahead of the curve.
Using a complex combination of advanced threat protections, multiple layers of advanced safety too automated contrary technology scientific discipline methods, the pre-infection Threat Emulation engine that lies at the nub of SandBlast Zero-Day Protection is able to honor this novel RTF downloading malware before it has the chance to deploy evasion code too travel inward a network or endpoint. Indeed, it is every bit a result of these unique inspection capabilities that SandBlast Zero-Day Protection tin deliver the highest select grip of charge per unit of measurement for threats too cannot live bypassed using fifty-fifty the most sophisticated evasion techniques.
SandBlast Zero-Day Protection also includes the Threat Extraction capability, which allows for practical protection past times proactively reconstructing content into prophylactic documents, preventing malware from always reaching users. With traditional sandboxing products, customers unremarkably induce got to brand a selection to either delay the delivery of files until inspection is consummate or run inward ‘detection only’ mode, letting content through piece testing is done inward parallel. Threat Extraction, however, makes real-world deployment inward ‘prevent’ fashion possible past times promptly delivering a create clean re-create of content, too solely too so delivering the master 1 time it is deemed safe.
Conclusion
The value of question cannot live understated. Without it nosotros would non induce got the cognition to laid upwards ourselves for the known or unknown. After all, the question done past times NASA ensured Neil Armstrong was non solely successful inward his mission to the moon, but also remained safe.
Likewise, the regain of the vulnerability inward Microsoft Office shows the importance of creating cognition through question too provides an illustration of the ongoing improvements to Check Point SandBlast Zero-Day Prevention made to croak on our customers secure. With this novel RTF downloader malware directly out inward the wild too exploiting this vulnerability it indicates 1 time once again how organizations request to a greater extent than than only traditional sandboxing solutions to protect their networks against today’s advanced attacks.
To protect against this novel malware too other unknown malware, users are advised to often patch their systems too the software they use.
Check out to a greater extent than data on how Check Point SandBlast Zero-Day Prevention tin croak on your arrangement fully protected.
