On Friday May 10, 2013, Check Point’s Threat Emulation technology detected a phishing email attack employing then-unknown malware on several organisations’ networks. This attack takes advantage of a vulnerability in Microsoft's Windows Common Controls as described in CVE-2012-0158. Due to this new variant having a different cryptographic ”hash” to the original, no anti-virus tools had detected it up to that point in time.
The attacks starts with phishing emails purporting to be from Citibank or Bank of America. The emails, which contained subject lines such as “Merchant Statement”, invite recipients to open an infected Microsoft Word attachment with names such as “Statement ID 4657-345-347-0332.doc”. When opened, the attachment infects the machine with several malicious executables, and places the machine under control of a remote "botnet" command and control centre.
The attack can successfully infect both Windows 7 and XP platforms. Additional variants are in the wild, with at least one additional one being detected within 48 hours of the first. Check Point recommends companies do the following:
* Ensure that the Microsoft Update described in MS12-027 has been deployed to all endpoint machines in their networks * Educate or remind users on the risks of opening email attachments from unknown external senders
At detection by Threat Emulation, attack information was automatically uploaded to Check Point’s ThreatCloud, which then propagated AV signatures to all Check Point customers with current AV update subscriptions.
Dorit Dor, vice president of products at Check Point Software Technologies said: “Threat Emulation technology is capable of detecting and preventing against new attacks, and variants of existing ones. Our sandboxing technology closes the gap between the time new attacks are launched and when AV updates are made available, providing the most effective threat prevention available today.”