SandBlast Threat Extraction and CADET delivered on the Check Point zero-day prevention promise by blocking yet another completely new attack vector.
On June 11th, a researcher from SpecterOps discovered a new infection vector using the SettingContent-ms file type. The attack was rapidly updated and was used in a FlawAmmyy RAT Massive Malspam campaign that embedded the SettingContent-ms file into a PDF file. It bypassed previously introduced Windows 10 defenses, including Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.
My recording of malicious file behavior vs. the cleaned file. Kudos to Netanel Ben Simon for staging the attack:
Another Great Threat Extraction win.
26.9.18 (GN) Edited to better explain the Screen Shot
4.10.18 (GN) Changed the screen capture to a video showing the malicious behavior vs. a cleaned file behavior
8.10.18 (GN) Updated the recording with narration