DocLink Defender provides real-time protection by analyzing documents and embedded URLs, mimicking user actions to test downloads and blocking malicious content at the source. It has demonstrated defense against advanced threats like Agent Tesla and integrates with Check Point Threat Emulation for Quantum and Harmony users. #DocLinkDefender #AgentTesla #GuLoader #ThreatEmulation #CheckPoint #Quantum #Harmony
Keypoints
- DocLink Defender analyzes document structure and embedded URLs and simulates user actions to determine if a URL leads to a downloadable file, then subjects suspicious content to threat emulation.
- Shows defense against sophisticated threats, notably Agent Tesla, by stopping the infection chain at the first stage.
- Integrates with Check Point Threat Emulation for Check Point Quantum and Harmony users, adding an additional layer of protection.
- Case study (January 2024) demonstrates prevention at the first stage of a multi-step attack involving a deceptive PDF and a downloadable installer.
- The attack chain involves a deceptive archive that pretends to be an Adobe Acrobat Reader installer and a malicious downloader that downloads GuLoader and then Agent Tesla.
- Agent Tesla is described as an advanced RAT capable of keystroke capture and credential harvesting from browsers and email clients, highlighting the data exfiltration risk.
MITRE Techniques
- [T1204.002] User Execution – Malicious Link – The engine mimics user actions by clicking URLs embedded in documents to test if they point to downloadable content. Quote: ‘the engine “clicks” on each URL to determine if it points to a downloadable file on the internet.’
- [T1036] Masquerading – The archive contains misleading content and pretends to be an installer for a legitimate application. Quote: ‘pretends to be an Adobe Acrobat Reader installer.’
- [T1105] Ingress Tool Transfer – The GuLoader dropper downloads encrypted payloads from external resources (Google Drive/OneDrive) and loads them into memory. Quote: ‘GuLoader… downloads encrypted payloads from external resources, typically Google Drive and OneDrive.’
- [T1105] Ingress Tool Transfer – The dropper retrieves a payload from a Google Drive URL for execution. Quote: ‘downloads malicious payload from a Google Drive URL: hxxps://drive[.]google.com/uc?export=download&id=13JuJGhsay6su2dNrCWIs09EBsouylP-m’
- [T1056.001] Keylogging – Agent Tesla can harvest keystrokes on infected machines. Quote: ‘ Agent Tesla can harvest various data types, including keystrokes.’
- [T1555.003] Credentials in Web Browsers – Agent Tesla collects login credentials from browsers like Chrome and Firefox. Quote: ‘login credentials from browsers like Google Chrome and Mozilla Firefox.’
Indicators of Compromise
- [URL] context – hxxps://zampieri1949[.]com/Adobe/Adobe-Reader-v8.0-latest-installer.7z, hxxps://drive[.]google.com/uc?export=download&id=13JuJGhsay6su2dNrCWIs09EBsouylP-m
- [Domain] context – drive.google.com, zampieri1949[.]com
- [File] context – Adobe-Reader-v8.0-latest-installer.7z, Adobe-Reader-v8.0-latest-installer.exe
- [Malware] context – Agent Tesla, GuLoader