Story image

Zyklon HTTP malware creates gaping backdoors through MS Office exploits

22 Jan 2018

Telecommunications, insurance and financial service providers are the latest targets of a multi-feature backdoor malware called Zyklon, which can conduct a number of different attacks from DDoS to keylogging.

Researchers Swapnil Patil and Yogesh Londhe from FireEye explain that while Zyklon has been in the wild in 2016, the recent wave is attaching to spam emails to deliver its malware.

Zyklon HTTP malware is described as a publicly-available and fully featured backdoor that is able to conduct DDoS attacks, steal passwords, act as a keylogger, update and remove itself; and acts as a downloader for additional plugins.

The malware can range from $75-$125 on underground marketplaces.

The latest wave arrives as a spam .ZIP attachment. That attachment contains a malicious .DOC file.

“The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over,” Researchers explain.

They go on to say that PowerShell is able to download the final payment from the Command & Control centre to execute the malware.

The malware uses two specific vulnerabilities to infect machines: The first vulnerability CVE-2017-8759 enables an attacker to use a malicious document for remote code execution.

The second vulnerability CVE-2017-11882 is a recently-discovered vulnerability that takes advantage of various versions of Microsoft Office 2016, 2013, 2010 and 2007.

It uses ‘Microsoft Office Memory Corruption Vulnerability’ and allows an attacker to run code in memory.

Researchers also say that Zyklon uses the Tor network as its Command and Control communication.

Researchers say that Zyklon can download additional plugins that include:

Browser Password Recovery, which can recover passwords from popular web browsers including Google Chrome, Mozille Firefox, Apple Safari, Internet Explorer, Comodo Dragon Browser, Opera Browser, Chrome Canary/SXS, CoolNovo Broswser, Flock Browser, SeaMonkey Browser and SRWare Iron Browser.

FTP Password Recovery, which can steal passwords from FTP applications including FileZilla, Dreamweaver, SmartFTP, FlashFXP, FTPCommander and WS_FTP.

Gaming Software Key Recovery, which steals keys from games including Age of Empires, FIFA, Call of Duty, NFS, The Sims, Quake, Half-Live, IGI and Star Wars.

Email Password Recovery, which can steal passwords from Microsoft Outlook and Microsoft Outlook Express, Mozilla Thunderbird, Windows Live Mail 2012, Incredimail, Foxmail, Windows Live Messenger, MSN Messenger, Windows Credential Manager, Google Talk, Gmail Notifier, PaltalkScene IM, Pidgin Messenger and Miranda Messenger.

Licence Key Recovery, which steals serial keys from popular software including Adobe, Microsoft Office, SQL Server and Nero.

Socks5 Proxy, which can create a reverse Socks5 proxy server.

The Zyklon malware can also hijack a user’s clipboard and can replaces a user’s copied Bitcoin address with one from the Zyklon control server.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.