Neil Armstrong, the great space explorer, once said “research is all about creating new knowledge.” And of course, with knowledge we are in a better position to predict, and thus prepare, for what is yet to come. For this reason, the work Check Point Research does is invaluable when it comes to translating knowledge into better protection for our customers. Let’s take a closer look how.
In April 2017, our team discovered a weakness in Microsoft Office 2007, 2010, 2013 and 2016 and, although a patch was released soon after, an exploitation of this vulnerability was recently found in the wild and is currently being used to spread a new malware that drops the info stealing malware, AgentTesla and Loki. These malware’s capabilities include stealing a user’s login information via Google Chrome, Mozilla Firefox, Microsoft Outlook and others, capturing screenshots, recording webcams as well as enabling the attacker to install additional malware on infected machines.
However, due to the nature in which this new malware is built, using highly evasive obfuscation techniques, most Anti-Virus software has so far been unable to detect it. For although many would be forgiven in thinking that modern Word documents are more secure than RTF or DOC files, in the fifth generation of the threat landscape attackers continually seek to stay one step ahead and adapt their tradecraft to bypass everyday computer software.
How the Infection Occurs
The attack is launched when a user opens a malicious RTF file, which subsequently starts Microsoft Word. Soon after launching, Word begins the process (named ‘svchost’) to open Microsoft Equation Editor (an application tool used to help create mathematical equations be inserted into Word documents). In normal circumstances this should be the end of the story, however in the case of AgentTesla, the Equation Editor application takes the unusual next step of automatically, and highly suspiciously, launching its own executables too.
What’s more, the executable that it launches (named ‘scvhost.exe’) is strikingly similar in name to the process that launched the Equation Editor itself. It is at this point, when the second process is launched, that a connection to the attacker’s Command and Control (C&C) server is established and the malware is delivered to infect the victim’s computer.
From Theoretical Research to Practical Protection
While this sequence of events is deeply hidden from most Anti-Virus software, thanks to the earlier discovery of Microsoft vulnerability CVE-2017-11882, Check Point’s SandBlast Zero-Day Protection was already ahead of the curve.
Using a complex combination of advanced threat protections, multiple layers of advanced security and automated reverse engineering methods, the pre-infection Threat Emulation engine that lies at the core of SandBlast Zero-Day Protection is able to detect this new RTF downloading malware before it has the opportunity to deploy evasion code and enter a network or endpoint. Indeed, it is as a result of these unique inspection capabilities that SandBlast Zero-Day Protection can deliver the highest catch rate for threats and cannot be bypassed using even the most sophisticated evasion techniques.
SandBlast Zero-Day Protection also includes the Threat Extraction capability, which allows for practical protection by proactively reconstructing content into safe documents, preventing malware from ever reaching users. With traditional sandboxing products, customers usually have to make a choice to either delay the delivery of files until inspection is complete or run in ‘detection only’ mode, letting content through while testing is done in parallel. Threat Extraction, however, makes real-world deployment in ‘prevent’ mode possible by promptly delivering a clean copy of content, and only then delivering the original once it is deemed safe.
The value of research cannot be understated. Without it we would not have the knowledge to prepare ourselves for the known or unknown. After all, the research done by NASA ensured Neil Armstrong was not only successful in his mission to the moon, but also remained safe.
Likewise, the discovery of the vulnerability in Microsoft Office shows the importance of creating knowledge through research and provides an illustration of the ongoing improvements to Check Point SandBlast Zero-Day Prevention made to keep our customers secure. With this new RTF downloader malware now out in the wild and exploiting this vulnerability it indicates once again how organizations need more than just traditional sandboxing solutions to protect their networks against today’s advanced attacks.
To protect against this new malware and other unknown malware, users are advised to frequently patch their systems and the software they use.
Check out more information on how Check Point SandBlast Zero-Day Prevention can keep your organization fully protected.