Cybercriminals are exploiting Microsoft Office Vulnerabilities to distribute Zyklon Malware in a recent spam campaign targeting telecommunication, insurance, and financial services.
The malware is designed to recover passwords from popular web browsers, PC gaming software, and email services among other software. The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero, according to a Jan. 17 Trend Micro blog post.
The malware is publically available and has been observed in the wild since early 2016 providing threat actors sophisticated capabilities such as a full-featured backdoor capable of keylogging, the ability to execute additional plugins like cryptocurrency miners, conduct distributed denial-of-service (DDoS) attacks, self-update and self-removal.
Zyklon is spread via malicious spam attachments in a ZIP file containing a DOC file that exploits at least three known vulnerabilities in Microsoft Office including CVE-2017-8759 and CVE-2017-11882. The malware communicates with its command and control (C2) server over the Onion Router (Tor) network and provides a very efficient mechanism to monitor the malware’s spread and impact.
“What stands out the most to me is that the Zyklon malware is being packaged with pricing tiers based on features,” Chris Morales, Vectra’s head of security analytics, told SC Media.
Threat actors could purchase the normal build of the malware for $75 or the Tor-enabled build for $125 as well as updates for $15 all of which is payable on Bitcoin.
Morales said the malware is a very capable piece of code, yet it exhibits a sequence of common attacker behaviors similar to any other attack with the intent to infect, spy, spread, and steal information and that he has seen many attacks now leveraging TOR for outbound communication and PowerShell for malware updates.
He added that the Windows vulnerabilities used for Zyklon appear to have first been observed in the wild through the detection of another piece of malware, meaning we have no idea how long attackers have known about the vulnerability or when they developed an exploit.
“This is true of every vulnerability ‘discovered and published’ by a threat researcher or security company. Attackers are not keen to publish or share any type of information they already have, and they could sit on this information for a very long time before leveraging an exploit for a vulnerability in a new piece of malware,” Morales said.
Experts agreed. Meni Farjon, co-founder and chief technology officer of SoleBIT Labs, told SC Media the vulnerabilities picked by the threat actors behind the malware are unique as they all share the common characteristic of being 100 percent reliable across almost all Windows versions.
“Normally, code execution exploits combine memory based corruptions, which can lead to unreliable situations on some victims PC’s, and failing to infect,” Farjon said “These vulnerabilities do not corrupt the memory and are almost fully ‘logical.’”
Farjon added that the bugs will even work on a 10 year-old Windows system ensuring extremely high reliability over infections and demonstrates that the actors behind Zyklon are preparing for a massive campaign at one point or another. Lenny Zeltser, vice president of products at Minerva Labs, told SC Media, the approach used in the malware campaign demonstrates some of the ways that adversaries bypass information security defenses and that using Microsoft Office documents together with PowerShell, as well as employing memory injection, is often effective against detection-based anti-malware tools.
“Don’t get me wrong: There is clearly a need for some form of baseline anti-virus protection,” Zeltser said. “However, enterprises should consider ways of augmenting such defenses, for instance by employing technology that makes it harder for the attacker to evade detection.”