BitDam Blog

Eyal Blyachman
Eyal Blyachman
3 minutes & 43 seconds read · December 9, 2018

Exploited in a flash – CVE 2018-15982

A few days ago, a new flash zero-day vulnerability was discovered.

The attack was allegedly linked to ‘HackingTeam’, the Italian offensive cyber company that was breached about three years ago.

The sample exploits a Use After Free’ vulnerability in a Flash class named “com.adobe.tvsdk.mediacore.metadata.Metadata”. A weaponized MS Word document contains an embedded malicious SWF that exploits flash into running a shellcode.

Would BitDam detect it?

Luckily, none of our customers received this attack, but we wanted to confirm that they would have been protected if they would have received it when it was just issued.

That is why we used an older version of BitDam to scan the malicious file. We used an engine version that was never exposed to this attack. We had no doubt that BitDam would detect it, after all, that’s the “magic” about BitDam – it detects zero day attacks that it hasn’t seen before.

So we scanned the original sample of the vulnerability (Sha1-2d22bf18ab1a8db0309c477472b481b0641b9dc7) with BitDam’s old engine. Here are the scan results:

Figure 1

As expected, the BitDam engine was able to notice whitelist deviations and extract interesting information:

  1. There was a foreign commandline identified with the following commandline –
    C:\\WINDOWS\\system32\\cmd.exe /c set path=%ProgramFiles(x86)%\\WinRAR;C:\\Program Files\\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe
  2. BitDam extracted the APIs that the shellcode was using. One of those APIs was “CREATEPROCESSASTUB“.

When we tried to look at the file manually, the first thing that popped up is a document written in Russian that looks like a personal information form of a healthcare company (shown in figure2).

Figure 2

When the user allows the content to play, the malicious SWF is loaded.

Technical Drilldown

Due to the results we received from our system, the first step we took was to look for the shellcode. Figure 3 shows the call instruction within the shellcode that starts the cmd.exe process.

Figure 3

A deeper look into the extracted shellcode revealed additional functionalities and a string.

Figure 4 shows a dump of the shellcode in the memory. The string is highlighted in red and the ‘call’ instruction from before is marked in blue.

Figure 4

The highlighted string is the arguments used to create the malicious process that runs the payload.

To dig a little deeper into the shellcode, we created a very simple and small program that allocates memory in a page with execute permissions, then copies the shellcode and executes it. We changed the last byte of the execution string from ‘e’ to ‘d’ to make sure that nothing malicious will eventually run.

Figure 5 shows the code used to do that

Figure 5

In the beginning of the shellcode’s execution, the code calls a function in relative offset 0x129. The call is shown in Figure 6.

Figure 6

The function, shown in Figure 7 is what seems to be resolving of function addresses.

The highlighted section in Figure7 is the resolving of a single function, using a help function embedded in the Shellcode (at relative offset 0x59).

Figure 7

Once the attackers finished with the perquisites, the shellcode reaches the final stretch. The shellcode creates a process with the relevant parameters. The ‘call’ instruction highlighted in Figure8 calls the address pointed by ebp-24h which is CREATEPROCESSASTUB.

Figure 8

At that point, the address pointed by ESP+0x4 (see figure9) should look familiar to us. We’ve examined that memory to get the final approval.

Figure 9

That memory address does hold the commandline that we expected to see.

Decompiling the SWF resulted ActionScript and two binary data blobs. Those blobs are used as classes in the script and both are shellcodes. One is 32-bit shellcode while the other is 64-bit.

Figure 10 shows the ActionScript that checks the architecture and calls the appropriate function in accordance with the architecture.

Figure 10

That interesting vulnerability is not the first Flash exploit we encounter and probably not the last either.

When this file was initially submitted to VirusTotal towards the end of November, it had an extremely low detection rate. Today, almost any engine on it detects the file. 

Figure 11

BitDam’s proactive approach allows the detection of such threats from day one, with no need to update signatures when an attack is at your gates, or worse, already entered your organization.

Read more
Maor hizkiev
Maor hizkiev
3 minutes & 2 seconds read · November 29, 2018

Migration to O365: Did you think about everything?

Here are the key reasons why organizations of all sizes should consider migrating to O365:

O365 Migration: Don’t worry about servers and maintenance

Whether you have a small organization or a large enterprise, you don’t need to worry about monitoring your email servers for disk space, network issues and other problems. You can rest assured that Microsoft’s O365 has several fail-safe mechanisms that will do the job, without you even knowing.

O365 Migration: Getting updates seamlessly

Updating your systems is probably the most important practice an organization should adopt. O365 is being updated on a daily basis with bug fixes, security patches and new features. IT doesn’t need to chase after never ever ending patches.

O365 Migration: Deploying and managing email apps is easy

Want to test a new productivity application for the user’s inboxes? Need to add an email management tool? Just go to the O365 AppSource, and with a few clicks you can give any application a try.

O365 includes built-in spam filtering (SPF checking, blacklisted IPs)

O365 provides the basic spam filtering which everyone needs. i.e. SPF checking that verifies that the email came from a legitimate email server. In addition, since O365 serves millions of users worldwide, it can easily classify IPs which are used to spread spam and blacklist them to prevent them from reaching your organization.

No need for a VPN with O365 – access your email from anywhere

Using O365, users don’t need to connect to VPN in order to access their mailbox. Making this access easier helps users to simply reach their mailboxes from anywhere, thus improving productivity.

Migrating to O365 – here we come!

So you understood the benefits and got to a conclusion that it’s time for your organization to migrate to the cloud. You’ve also selected the right solution for you – Microsoft Office 365. You even contacted a vendor like RackSpace, AvePoint or CodeTwo to help you with that.

So what’s missing?

One thing that is clearly missing in that picture is advanced security solutions. While traditional on-premise email solutions are surrounded by an entire ecosystem of security solutions of all types and levels, when it comes to O365, securing mailboxes is still a challenge. Although there are various of security solutions in place, integrating them with O365 is not as simple as you would expect. Bottom line, organization that migrate to O365 struggle to secure their mailboxes as they wish to do.

If you face this challenge too, I recommend you to check out the BitDam solution which protects organizations of all sizes against email-born attacks (which, by the way, represent more than 90% of cyber-attacks). BitDam’s cloud-based Advanced Threat Protection solution proactively detects attacks, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and Zero-Day attacks contained in files and/or URLs. It’s fully integrated with O365, available on Microsoft Azure Marketplace, and can be deployed in a matter of minutes.

What is BitDam?

The BitDam solution is based on a unique attack-agnostic technology which shows remarkably higher protection. In a nutshell, it learns the normal code-level executions of business applications and determines whether a given file or weblink is malicious.

But what’s most important about it is that BitDam shows significantly higher detection rates than all other solutions. In practice, it already blocked dozens of attacks that some leading security solutions fail to uncover.

I encourage you to try it yourself. Upload your most sophisticated malware file to our BitDam Total free file scanning service and get an immediate result.

So don’t jeopardize your organization’s security just because you moved to the cloud. Make sure that your users are protected from the sophisticated attacks going around every day.

Read more
David Ben Shabat
David Ben Shabat
2 minutes & 39 seconds read · November 22, 2018

Welcome BitDam Dashboard

I need to confess – I love data, and I love how data can be turned into insights. Coming from a data analytics and visualization background, I find it super important to make data accessible to my customers. That’s why we’ve spent the last few weeks on creating a new dashboard that analyzes raw data from our system and provides users with actionable insights.

So… I’d like to share with you the highlights of BitDam’s new dashboard:

Overview Page

This is mainly for the IT manager. Here you get a high-level view of BitDam’s system performance and its real-time status in a quick glance. No more digging and inspecting for every small issue. The Overview Page allows you to easily understand the number of scanned emails, malicious files found, the distribution over time and split between file types.

Why do you need this page? Within a few seconds, you can understand the system status, make sure there are no delays and confirm that BitDam works as expected. You can also recognize trends or become aware of hot threats. On the day-to-day you can give it a quick look and move on. If an email is being delayed in the pipeline, you can easily release it. And if your organization is under attack, be assure that you’ll see it right away in the Overview Page.

Emails Page

As a SOC expert, you’ll receive a real-time alert any time that BitDam detects malicious content. But as a SOC expert, you also want to know more when there are malicious emails going around your organization. That’s why we created this page. Here you can check what exactly is going on. In this page you’ll quickly see who’s the sender, who was supposed to receive the malicious email and how many of those emails are out there.

How do you use it? Start with a high-level view of all blocked, clean and released emails ordered by priority. Then drill down easily to further investigate specific email. You can verify that it’s not a False Positive, download the malicious file, extract Indicators of Compromise (IOCs), pinpoint affected mailboxes and more.

Files Page

At some situation you might want to look at files rather than emails. That’s why we created the Files Page. Here you can perform a variety of actions on files (similar to the ones you’d do in the Emails Page) in order to learn more about the specific attack.

How do you use it? Typically, you will start by having a look at the list of malicious files. From here, you can further investigate specific files, drilling down to how they were delivered and what made BitDam flag them as malicious.

You can also upload files manually for scan on this page. In case you find a suspicious file, or want to compare BitDam’s detection to another solution, you can do it easily from here. You’ll get the scan result with indications on what’s wrong with the file, within a few seconds.

What’s next?

If you’re already a BitDam user, login to the dashboard and check out the new. And if you’re not a BitDam user yet. Mmm…than it’s time to try it.


Read more
Roy Rashti
Roy Rashti
3 minutes & 1 second read · November 20, 2018

Thanksgiving malware campaign

Happy thanksgiving… or is it?

In the last few days, BitDam detected several different malicious files that drop malware, many with names related to Thanksgiving.

The files, holding names such as “Thanksgiving-wishes.doc”, “Thanksgiving-greeting-card.doc” or “Greeting-Card-Thanksgiving-Day.doc”, pretend to be a nice and innocent Thanksgiving card.

A quick glance shows that when BitDam detected those files, they all had relatively low detection rate on VirusTotal (around 6% detection rate). This number is obviously growing as we speak. Why? As these files became popular, other engines adjusted their signatures to detect them.

I was interested to see what differs in those files that made them harder to detect. I randomly picked one – (Sha1 09b4a05719b24789c2a0511184ccd8ffc0a08ea0; Sha256 ed642de0c3636ede6a55294dd38d44a91ca69b07f9ce5d11cfbcf5f84b32aa2f), and here are the findings:

Attack analysis

When opening the file, it shows a screen that tries to lure the user into enabling macros as shown in Figure1.

Figure 1

A quick glance into the macro shows an ‘AutoOpen’ function that will run as soon as the file is loaded. The function contains obfuscated code. The attackers are using mathematical operations such as Sin, multiplication, division and so on.

Seeing such techniques is not rare when it comes to code obfuscation. I’m sure that most engines are used to handle such techniques. However, there was something that did catch my eye; It seems that the attackers tried to hide something inside an OLE object.

The code shown in Figure2 highlights the access to the text inside this object.

Figure 2

Let’s roll back for a second. If we take a closer look at Figure1, or the screen we see when the document is loaded, we can see something odd in the top left corner. I highlighted it in Figure3.

Figure 3

That small black square is a text-box. Enlarging the text-box reveals its actual value, which is an obfuscated CMD line, shown in Figure 4.

Figure 4

In the end of the function, the VBA script executes a command prompt with the data shown above. It’s easy to spot the ‘^’, which is used as an escape character and in this case – used to fool static scans.

My personal opinion is that using the text-box object and accessing it through code is the differentiator that helped the attackers bypass many solutions at this time.

The obfuscated CMD line is used to start a Powershell process with the code shown in Figure 5.

Figure 5

I think that the code is self-explanatory; The attackers try to download the payload from the following domains-






The payload (Sha1 38eba0f30f4ae52916ba75f10d30376c675bda6e, Sha256 db5794255ef6c3f576d39fc8b69ec3af020a1a30dcacfbc25c6fa176fe40445e) seems to be Emotet, one of the famous malwares of 2018.

Here are some other droppers using similar techniques (Sha1s):

  • 7482ff036f86b35288fdd78bb159e883f911f08f
  • 747c1de46ef95cf12543a0c9e61529fdad9da96b
  • bb277708c03a5f3d4b76f82563a68312a6424981

How come it wasn’t detected?

How come that this attack bypassed 94% of the engines listed on VirusTotal? I guess that being reactive rather than proactive makes the big different. Again. Unlike other solutions, BitDam detects any malicious file, no matter if it’s known, a variation of a known file or completely unknown. Check it out yourself for free here.

Read more
Too old to be detected
Roy Rashti
Roy Rashti
3 minutes & 12 seconds read · October 18, 2018

Too old to be detected

Back in 1992, when Personal Computer were not yet a common property, Microsoft attempted to base their stance as pioneers in the new emerging industry of office tools for PCs as they released Excel 4.0.

As part of their offering in that version, XLM was the default macro language used in Excel 4.0. XLM provided the users with a broad functionality to analyze and edit workbooks.

XLM provides a toolset relatively similar to the VBA (Visual Basic for Applications) that is vastly used these days. Among others, it lets the user load DLLs into the applications, run external software and so on.

Macros are a known attack vector

Due to the capabilities of the macros, using it to attack is a path most traveled by attackers these days. It’s very common to see a VBA code that automatically executes being used as a first-level attack surface.

The XLM is embedded in the workbook while the VBA is an external ole stream which makes it easier to analyze and extract.

As a result, solutions that aim to protect end users from such threats have learnt to deal with VBA-embedded attacks.

How many protection systems would detect such attack?

To demonstrate how this may work, I’ve created a simple ‘doc’ file with a malicious VBA code.

That code runs on startup launches a CMD that starts a Powershell process. That Powershell tries to download and execute an executable file. It briefly looks as shown in Figure 1

Figure 1

I used the VirusTotal platform to check if existing solutions would detect it. Although this might not be the ultimate way to benchmark, it’s quite reliable and can provide us with a significant feel about the detection rate of a file.

When I uploaded this file to VirusTotal, it showed about 40% detection (shown in Figure2).

Less than we’d expect, but it feels safe to say that substantial amount of solutions were able to notice the maliciousness present in this file.

Figure 2


Next: challenging detection engines with malicious XLM

Following that result, I was intrigued to see how the engines in VirusTotal will handle an XLM attack similar to the VBA one.

XLM macro is based on formula commands. One can use loops, call external DLL’s functions and a variety of commands supported by the engine executing the macro.

I created the following XLM macro in a macro enabled sheet, shown in Figure 3.

Figure 3

The “Name Manager” that you can see in Figure 4 allow us to control aliases given to registered functions in the module. I registered the top left cell as the entry point for the predefined ‘Auto_Open’ function that runs automatically when the file is being loaded.

Figure 4

The Powershell command executed here is exactly the same as the one before.

Testing this file in VirusTotal resulted the concerning result shown in Figure 5; zero detection!

Figure 5


Old attacks may be more dangerous than you’d think

Just imagine how easy it could be to attack someone using this simple mechanism that although old, still works. But you know what – I wasn’t so surprised. The inability to handle such attacks is originated in the fact that those kinds of attacks were not seen before by these cybersecurity vendors.

Most current solutions base their detection mechanism on attack structures that they have seen in the wild. Therefore, if an attack was not seen in the past years, it might not be detected.

XLM might be very old technology but it is still supported and can still be used to get a stranger inside your computer.

The horrifying part of it: an attack that was created back when I was born can still cause harm.

BitDam’s unique engine is completely agnostic to the structure of the attack and thus is able to detect attacks, whether it’s known or unknown, new or super-old, from the very first day it’s deployed.

Read more
Liron Barak
Liron Barak
1 minute & 31 seconds read · August 23, 2018

Does Your Cyber-security Measure Up?

CISOs today find it difficult to gage how well the organisation is protected against attack. Enterprise security typically comprises multiple dedicated solutions, spanning across different security needs, technologies and organisational teams. One of the key challenges in achieving an integrated security assessment, is gaining an understanding of existing security gaps and what is needed to close them.

Security statistics can help illustrate some of the hurdles facing CISOs in assaying security readiness.  Organisations are reportedly receiving 1 malicious file for every 300K emails delivered. Over the past year, BitDam has encountered a ratio of 1 malicious file for every 5K-50K emails. This ratio changes between vertical markets, and depends on whether the organisation utilizes a SPAM filter responsible for eliminating most of the trivial attacks or not.

This gap between the different email attack vulnerabilities illustrates the difficulty of measuring up cybersecurity in an organisation.  Security penetration tests may be helpful in determining the effectiveness of your combined security tools, to identify strengths and weaknesses. We’ve created a simple penetration test available online to give you a sense of  your current level of security. The BitDam Email GW security penetration test lets you assay your existing security tools’ ability to detect and prevent advanced content-borne cyber attacks. And all that is done in 3 simple steps.

The BitDam PenTest

Upon providing a testing email address, BitDam will send a controlled penetration test that includes a series of advanced cyber attacks. These attacks are embedded in files that are sent to your designated account. Attack emails that are delivered to your test inbox indicate a failure point in your cyber-security. The BitDam PenTest report provides test result details that will give you insights into the strengths and weaknesses of your content security readiness across your communication channels.

Its safe and free.  Sign Up for the BitDam Pentest

Read more
Maor hizkiev
Maor hizkiev
1 minute & 24 seconds read · August 23, 2018

Leveraging Your Application’s Own Code to Protect Against Attack.

Every content-borne cyber attack starts when malicious code, embedded in files and links, is being launched by applications and executed on the machine.

Most content security solutions focus on identifying the structure or behaviour of attacks. Thus, these security approaches are limited in their ability to detect unknown threats or overcome sophisticated evasion techniques, which leaves organizations vulnerable to today’s advanced content-borne cyber attacks.

BitDam proactive security delivers a new paradigm in content-security. Focusing on the standard applications that open malicious files and links, BitDam is the only solution in the market that prevents attacks from running alien code. This way it protects against any exploit, any ransome threat, and any known or unknown vulnerability.

Standard business applications such as Microsoft Office Suite (Word, Powerpoint, Excel), Adobe PDF, and Internet Browsers are based on quality assured code. Code that was developed and supported by known software vendors. BitDam’s technology is based on that assumption. The company’s deep application learning and alien code detection ensure that only valid code is executed when opening files and links on our machines.  If an attempt to run alien code is detected, BitDam immediately recognizes it as an attack and blocks it.

BitDam automatically learns the legitimate behaviour of any application. It continuously maps CPU-level code paths to detect any deviation from them. Since it benchmarks code flows launched by files and links with authorised application code flow, BitDam’s content security is unaffected by changes in attack techniques.

Performed in the BitDam Cloud,  our unique security approach makes it possible to forever protect applications and prevent any content-borne attacks before they are delivered. This approach ensures that all files and links are safe to click.

Read more
Maor hizkiev
Maor hizkiev
1 minute & 4 seconds read · August 23, 2018

Make Cloud Hosted Office 365 Immune to Content-Borne Attacks.

Office 365 has become one of the most popular cloud-based Software-as-a-Service (SaaS) products for businesses.

Organisations of all sizes, verticals and regions are migrating their on-premise exchange Email servers to the cloud-based Office 365 (O365). They do so to gain the benefits of scalability, cost reduction, and to eliminate data loss while reducing ongoing updates and service overhead. When migrating to the cloud, organisations need to replace existing on premise security tools with cloud-based security services. These cloud-based services need to be fully integrated with 0365 while minimising friction within the organisation.

BitDam is a cloud-based content cyber security service that protects email from advanced content-borne attacks. It provides organisations that use O365 with advanced detection and prevention of malicious attachments. The solution is fully integrated with O365 as well as other cloud-based providers. BitDam’s cloud-based content security service employs O365 APIs to protect the organisation’s email – and secure email gateways against attacks embedded in URL’s and files.

BitDam’s solution seamlessly integrates with existing IT infrastructure. Its on-boarding is easy, requiring no changes to security infrastructure policies, or processes. It is typically deployed in a non-intrusive mode. During our POC, acquiring a copy of organizational traffic is usually completed in under 5 minutes and protection of all email traffic commences immediately.

Sign up for BitDam Cloud Trial.

Read more
Liron Barak
Liron Barak
1 minute & 54 seconds read · August 23, 2018

BitDam Eliminates the Collaboration Content-Security Tradeoff

Content sharing is everywhere.

The number of collaboration channels that we use to share files and links keeps growing…Starting with email services such as Gmail and Microsoft O365, through web drives like Box, Dropbox and Google Drive and up to instant communication channels including Zoom, Skype and Slack. There is no doubt that content sharing is everywhere and we use it more than ever. However, when embedded within communications that look innocent, the same files and links are also the main entry point for targeted and advanced attacks.

Collaboration channels as an entry point for attackers

Up to 90% of cyber threats handled by IT and security teams in the the past 12 months, entered organisations as email attachments, links, or via web-based drives. In addition, content-borne attacks are increasing in both volume and severity. Data breaches are doubling annually. Moreover, email spam grows by 100% every month, with over 80% of these communications containing ransomware.

Attackers also become more sophisticated. Ever changing malware with ‘moving parts’, ‘barely-there’ sleep mode strategies while scanning, among other evasion techniques, all aim to bypass security solutions in order to attack organisations. In addition, today’s attacks are identified in the wild for under 24 hours only. This makes existing security approaches – that react to known attacks – untenable when attempting to prevent ever evolving content borne cyber attacks.

A new approach to content security

BitDam proactive content security service makes it possible to immediately detect and block both known and unknown attacks in links and file attachments. The result? eliminating the collaboration and security tradeoff.

BitDam couples deep application learning with alien application code flow detection. Based on that, it stops illegal attack code hidden in links and documents from being run by enterprise applications. BitDam proactive cybersecurity delivers the highest detection rates of advanced attacks launched from within the communication stream. No need for ongoing security updates or patches. By nature, BitDam protects applications forever. Our content-security approach is capable of meeting today’s content-borne cyber threats, preventing the full range of logical exploits, hardware vulnerabilities, macro-based attacks, ransomware, malware, APTs, spear phishing, one day, and zero day attacks.

By preventing advanced content-borne threats across all enterprise communication channels, BitDam empowers organisations to collaborate safely. To lean more, contact us or try it on your own.

Read more
Liron Barak
Liron Barak
0 minutes & 59 seconds read · August 20, 2018

Introducing BitDam Total: Detect Advanced Cyber Threats Online

BitDam Total is a free file scanning service for malware that enables the detection of advanced content-borne attacks.

The service scans all standard document formats including PDF, DOC, PPT, XLS, and ODP among others. It detects sophisticated and advanced threats previously undetected by other scanning services. BitDam Total addresses the growing need for content security scanning that can determine whether a file is malicious before it is opened, to thwart today’s advanced threats. While Anti-Virus scanning services exist, they provide only a partial solution as they focus primarily on known attacks and signature based detection methods. What’s missing are scanning services that can detect and block any exploit, any payback and any known and unknown vulnerability.

Used online, BitDam Total detects malicious files that contain both known and unknown threats within seconds. No payment and subscription needed. Our proactive attack prevention couples deep application learning with alien code flow detection, making it possible to immediately identify malicious files. These include the full range of logical exploits, hardware vulnerabilities, macro-based malware, ransomware, spear phishing, one day, and zero day attacks.

Try BitDam Total, to experience the BitDam advantage yourself. Scan a file. Its simple and free.

Read more

Schedule a Demo

Enter your email to get a free trial invitation