Zyklon malware proliferating via MS Office security loopholes By Will Wisser Posted on December 15, 2018 1 min read 0 8,520 The malware called Zyklon has taken cyber attacks to a new level, engaging intricate exploit-based distribution and a wide range of malicious capabilities. The evolution of malicious software has spawned strains that exhibit unparalleled stealth and versatile functionality. Zyklon, a sophisticated malware sample that surfaced in early 2016, exemplifies this transition to the fullest. It zeroes in on high-profile targets, with its nefarious activity making itself felt primarily in the financial services, telecom, and insurance sectors of economy. Malicious functions Whereas selective targeting isn’t a new thing in the cybercrime ecosystem, the mechanisms Zyklon leverages to achieve its goals make it stand out from the crowd. Technically, it is a backdoor whose portfolio spans keystroke logging, password theft, and DDoS attack deployment. Furthermore, it can download and run harmful plugins that siphon off the contaminated host’s CPU power to mine cryptocurrency behind the victim’s back. The infection is also capable of interacting with its Command & Control server over the tamper-proof Tor network. Spreading mechanism The current propagation logic of the Zyklon malware boils down to harnessing Microsoft Office vulnerabilities. Security analysts have recently discovered a campaign that takes advantage of three known Office flaws. The starting point of the attack is a phishing email tailored to align accurately with the target’s business model. This approach increases the odds of the recipients opening the message and getting on the hook for further manipulation. The gist of this attack vector is all about the object attached to the tricky email. It is a ZIP archive with an eye-catching name that contains a booby-trapped DOC file. The latter, when opened by an unsuspecting user, will trigger the infection chain by exploiting one of the notorious Microsoft Office vulnerabilities that will be described further down. This sets in motion a PowerShell script then covertly downloads all the components of Zyklon from the adversaries’ C&C. Exploiting vulnerabilities Now, let’s take a deeper dive into the specific security flaws utilized by Zyklon. The first one is a .NET framework vulnerability catalogued as CVE-2017-8759. In this scenario, the virus-tainted DOC email attachment arrives with an OLE (Object Linking and Embedding) element on board. Once executed behind the scenes, this entity downloads another contagious file from a predefined URL, which does the rest of the malware depositing job. One more exploit that plays into Zyklon authors’ hands is known as CVE-2017-11882. It denotes a memory corruption bug in the Microsoft Equation Editor tool. Ironically, this is an 18-year-old flaw that continues to put unpatched systems at risk via stack buffer overflow and an ensuing possibility of remote code execution. Similarly to the above technique, the contamination mechanism involves an extra download of a malicious object from a hard-coded URL. How does vulnerabilities exploited Finally, the crooks who have masterminded the Zyklon backdoor propagation campaign are employing a vulnerability in Microsoft Office Dynamic Data Exchange (DDE), a technique maintaining interprocess communication. Codenamed KB4053440, this flaw allows the malefactors to run code on targeted machines remotely. This way, they drop and execute a PowerShell script, which props up the attack by downloading another payload, a Base64 encoded file named Pause.ps1. Once decoded, the resulting shellcode requests the final executable from the C&C server, then downloads and launches it on the host. Notice the multi-layered attack mechanism that engages secondary payloads prior to triggering the main one. This is an obfuscation and AV evasion tactic. Whilst raising no red flags, Zyklon harvests browser, email and FTP passwords, retrieves license keys for popular software, and uploads this data to its central server. It also hijacks the clipboard and substitutes the victim’s previously copied Bitcoin address with one belonging to its operators. To top it off, the pest downloads plugins that surreptitiously mine cryptocurrency. Conclusion All in all, Zyklon is a competently crafted piece of malware with some clever distribution tricks up its sleeve. Avoiding the above attack vectors is a matter of proactive security, which comes down to applying software patches as soon as they are rolled out and conducting phishing awareness training of your personnel.