By Daniel Tamari & Asaf Avisar

Highlights:

1. Innovative Real-Time Protection: DocLink Defender leverages the latest in analytical technology to intercept and neutralize malicious documents instantly. By safeguarding systems from the get-go, it provides an impenetrable shield against potential malware infections.

2. Proven Defense Against Advanced Threats: Showcasing its prowess, DocLink Defender has a track record of thwarting sophisticated cyber threats, including the notorious Agent Tesla malware. Its ability to stop such complex attacks at their inception point underscores its value in maintaining organizational cybersecurity in today’s digital age.

3. Comprehensive Security for Check Point Users: For those utilizing Check Point’s Quantum and Harmony solutions, activating the Threat Emulation feature ensures an added layer of security. DocLink Defender seamlessly integrates into this ecosystem, offering robust protection against the evolving landscape of cyber threats.

How DocLink Defender Works: A Closer Look

At the heart of DocLink Defender is a sophisticated engine designed to scrutinize the structure of commonly used document types, such as Office and PDF files. Its primary focus? To detect and evaluate embedded URLs. Mimicking the actions of a user, the engine “clicks” on each URL to determine if it points to a downloadable file on the internet.

Should a downloadable file be detected, the Defender doesn’t stop there. It takes the file and subjects it to an exhaustive Threat Emulation process. Each file is thoroughly emulated, ensuring that any lurking malicious content is identified before it can wreak havoc.

In the event a file is deemed malicious, the document harboring the questionable URL is immediately blocked, providing real-time defense against potential cyber threats. This proactive approach not only stops malware in its tracks but also ensures that organizations can maintain their operational integrity without the fear of interruption from cyber attacks.

With DocLink Defender, Check Point reaffirms its commitment to pioneering cybersecurity solutions that meet the challenges of today’s complex digital environment.

In this case study, we present an example of a real-life attack that was prevented at the first stage. This attack, observed in January 2024, posed a threat to multiple Threat Emulation customers by potentially compromising them with malware infections, and was blocked by this new engine.

the attack chain

Figure 1 – the attack chain

  1. The user receives a PDF file displaying a ‘blurred out’ image of a document (refer to Figure 1).
  2. When it opens, it prompts a message box to the user, notifying him that the document is not compatible with the version of Adobe Acrobat Reader running on his device (refer to Figure 2).

the user received ‘blurred out’ image

Figure 2 – the user received ‘blurred out’ image

message box prompt displayed to the user upon opening the document

Figure 3 – message box prompt displayed to the user upon opening the document

  1. The PDF contains a download link to an archive (hxxps://zampieri1949[.]com/Adobe/Adobe-Reader-v8.0-latest-installer.7z), that pretends to be an Adobe Acrobat Reader installer, tricking the user into clicking on it to update their version of Adobe Acrobat Reader on their device.

Once the user clicks on the link, an archive named ‘Adobe-Reader-v8.0-latest-installer.7z’ is downloaded to their device. This Archive contains an executable that pretends to be an installer for the latest version of Adobe Acrobat Reader:

‘Adobe-Reader-v8.0-latest-installer.7z’ archive with deceptive Adobe Acrobat Reader installer

Figure 4 – ‘Adobe-Reader-v8.0-latest-installer.7z’ archive with deceptive Adobe Acrobat Reader installer

  1. After the user double-clicks on the ‘installer’, the malicious executable starts running, writing multiple files on the disk and engaging in various background activities, such as running Windows .NET process and downloading malicious payload from the web (refer to figure 4,5)

malicious executable activity on user's device

Figure 5 – malicious executable activity on user’s device

directory written to the disk by the installer

Figure 6 – directory written to the disk by the installer

The ‘Adobe-Reader-v8.0-latest-installer.exe’ executable is classified as GuLoader, a network dropper that retrieves encrypted payloads from external resources, typically Google Drive and OneDrive. These Payloads are loaded directly into memory rather than being written to disk. GuLoader first emerged in the latter part of 2019 and has since been utilized to download and execute malicious payloads.

This dropper specifically downloads malicious payload from a Google Drive URL: ‘hxxps://drive[.]google.com/uc?export=download&id=13JuJGhsay6su2dNrCWIs09EBsouylP-m’

  1. The downloaded payload, identified as Agent Tesla malware, is an advanced remote access trojan (RAT) specializing in exfiltration and infiltration of sensitive information from infected machines. Agent Tesla can harvest various data types, including keystrokes, login credentials from browsers like Google Chrome and Mozilla Firefox, and email clients found on infected machines.

With DocLink Defender, Threat Emulation has been able to prevent multiple cases of zero-day attacks for multiple customers around the world.

Check Point customers using Quantum and Harmony products with activated Threat Emulation are protected from similar threats.

You may also like