The insurance, telecoms, and financial service sectors are being targeted by malicious actors spreading Zyklon malware. A large-scale spam email campaign has been detected that leverages three separate Microsoft Office vulnerabilities to download the malicious payload.
Zyklon malware is not a new threat. The malware variant was first detected at the start of 2016, but it stopped being detected soon after and was not extensively used until the start of 2017.
Zyklon malware is a backdoor with a wide range of malicious functions. The malware acts as a password harvester, keylogger, and data scraper, obtaining sensitive information and stealing credentials for further attacks. The malware can also be used to conduct DoS attacks and mine cryptocurrency.
The latest variant of Zyklon malware can download and run various plugins and additional malware variants. It can identify, decrypt, and steal serial keys and license numbers from more than 200 software packages and can also hijack Bitcoin addresses. All told, this is a powerful and particularly nasty and damaging malware variant that is best avoided.
While the latest campaign uses spam email, the malware is not included as an attachment. A zip file is attached to the email that contains a Word document. If the document is extracted, opened, and the embedded OLE object executed, it will trigger the download of a PowerShell script, using one of three Microsoft Office vulnerabilities.
The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was patched by Microsoft in October.
The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared through shared memory. This protocol is leveraged to deliver a dropper that will download the malware payload. This vulnerability has not been patched, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.
The third vulnerability is far older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been around for 17 years. The flaw was only recently identified and patched by Microsoft in November.
The second stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.
According to the FireEye researchers who identified the campaign, the malware can remain undetected by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”
Campaigns such as this highlight the importance of applying patches promptly. Two of the vulnerabilities were patched in the fall of 2017, yet many organizations have yet to apply the patches and remain vulnerable. If patches are not applied, it will only be a matter of time before vulnerabilities are exploited.
FireEye researchers have warned that while the campaign is currently only targeting three industry sectors, it is probable that the campaign will be widened to target other industry sectors in the near future.
The advice is to implement an advanced cloud-based anti-spam service such as SpamTitan to identify and quarantine malicious emails, and ensure that operating systems and software is kept up to date.