This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Gad_Naveh
Employee Alumnus
Employee Alumnus
‎2018-11-07 03:32 AM

Quick and Dirty Alert

We are witnessing a surge in weaponized Microsoft documents containing a macro.

This campaign has very low detection by signature based solutions. It uses advanced social engineering techniques designed to make the user open the document and enable the macro. As you can see in the screen shots these are similar but more graphically adapt to the notorious locky campaign of 2016.

            Screen shot of documents cleaned by Threat Extraction.

The last couple of days show a ten fold increase in the malicious files.

The surge as seen in numbers in the last week. 

SandBlast Threat Extraction cleans the macro from the document at zero time.

SandBlast prevents the download of the original file by three zero day engines: Macro Analyzer, CPU level detection on crash and the emulator by its malicious process activity.

I'll update when there is more data.

Thanks,

Gadi

Preview file
453 KB
4 Replies
Vladimir
Champion
Champion
‎2018-11-07 05:44 AM

Gad,

Can you tell if the TX is necessary for this protection to work or if TE will be able to catch it?

0 Kudos
Gad_Naveh
Employee Alumnus
Employee Alumnus
‎2018-11-07 06:11 AM

Hi Vladimir,

Yes, TE is able to catch it and prevent it.

I'll upload a report

Ryan_St__Germai
Collaborator
‎2018-11-08 06:02 AM

Sample this morning came with two word documents. AV Blade caught the emails. Does Emotet usually send two attachments?

0 Kudos
Gad_Naveh
Employee Alumnus
Employee Alumnus
‎2018-11-08 06:32 AM

Not that I am aware of, please do share