Check Point SandBlast protected users from a Zero-Day Microsoft Office Vulnerability

Microsoft Office Vulnerability Found, Check Point Research To The RescueNeil Armstrong, the great space explorer, once said “research is all about creating new knowledge.” And of course, with knowledge we are in a better position to predict, and thus prepare, for what is yet to come. For this reason, the work Check Point Research does is invaluable when it comes to translating knowledge into better protection for our customers. Let’s take a closer look how.

In April 2017, our team discovered a weakness in Microsoft Office 2007, 2010, 2013 and 2016 and, although a patch was released soon after, an exploitation of this vulnerability was recently found in the wild and is currently being used to spread a new malware that drops the info stealing malware, AgentTesla and Loki. These malware’s capabilities include stealing a user’s login information via Google Chrome, Mozilla Firefox, Microsoft Outlook and others, capturing screenshots, recording webcams as well as enabling the attacker to install additional malware on infected machines.

However, due to the nature in which this new malware is built, using highly evasive obfuscation techniques, most Anti-Virus software has so far been unable to detect it. For although many would be forgiven in thinking that modern Word documents are more secure than RTF or DOC files, in the fifth generation of the threat landscape attackers continually seek to stay one step ahead and adapt their tradecraft to bypass everyday computer software.

How the Infection Occurs

The attack is launched when a user opens a malicious RTF file, which subsequently starts Microsoft Word. Soon after launching, Word begins the process (named ‘svchost’) to open Microsoft Equation Editor (an application tool used to help create mathematical equations be inserted into Word documents). In normal circumstances this should be the end of the story, however in the case of AgentTesla, the Equation Editor application takes the unusual next step of automatically, and highly suspiciously, launching its own executables too.

What’s more, the executable that it launches (named scvhost.exe) is strikingly similar in name to the process that launched the Equation Editor itself. It is at this point, when the second process is launched, that a connection to the attacker’s Command and Control (C&C) server is established and the malware is delivered to infect the victim’s computer.

From Theoretical Research to Practical Protection

While this sequence of events is deeply hidden from most Anti-Virus software, thanks to the earlier discovery of Microsoft vulnerability CVE-2017-11882, Check Point’s SandBlast Zero-Day Protection was already ahead of the curve.

Using a complex combination of advanced threat protections, multiple layers of advanced security and automated reverse engineering methods, the pre-infection Threat Emulation engine that lies at the core of SandBlast Zero-Day Protection is able to detect this new RTF downloading malware before it has the opportunity to deploy evasion code and enter a network or endpoint. Indeed, it is as a result of these unique inspection capabilities that SandBlast Zero-Day Protection can deliver the highest catch rate for threats and cannot be bypassed using even the most sophisticated evasion techniques.

SandBlast Zero-Day Protection also includes the Threat Extraction capability, which allows for practical protection by proactively reconstructing content into safe documents, preventing malware from ever reaching users. With traditional sandboxing products, customers usually have to make a choice to either delay the delivery of files until inspection is complete or run in ‘detection only’ mode, letting content through while testing is done in parallel. Threat Extraction, however, makes real-world deployment in ‘prevent’ mode possible by promptly delivering a clean copy of content, and only then delivering the original once it is deemed safe.


The value of research cannot be understated. Without it we would not have the knowledge to prepare ourselves for the known or unknown. After all, the research done by NASA ensured Neil Armstrong was not only successful in his mission to the moon, but also remained safe.

Likewise, the discovery of the vulnerability in Microsoft Office shows the importance of creating knowledge through research and provides an illustration of the ongoing improvements to Check Point SandBlast Zero-Day Prevention made to keep our customers secure. With this new RTF downloader malware now out in the wild and exploiting this vulnerability it indicates once again how organizations need more than just traditional sandboxing solutions to protect their networks against today’s advanced attacks.

To protect against this new malware and other unknown malware, users are advised to frequently patch their systems and the software they use.

Check out more information on how Check Point SandBlast Zero-Day Prevention can keep your organization fully protected.

Source link

Check Also

Whispers: A Powerful Static Code Analysis Tool for Credential Detection

“My little birds are everywhere, even in the North, they whisper to me the strangest …

Nyxt The Hacker's Browser Unleashing Power and Flexibility

Nyxt: Hacker’s Dream Browser

In the ever-evolving digital landscape, the demand for specialized tools and platforms has grown exponentially. …

Leave your solution or comment to help others.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from blackMORE Ops

Subscribe now to keep reading and get access to the full archive.

Continue reading

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.