sb-eu logo
Story image

Zyklon HTTP malware creates gaping backdoors through MS Office exploits

22 Jan 2018

Telecommunications, insurance and financial service providers are the latest targets of a multi-feature backdoor malware called Zyklon, which can conduct a number of different attacks from DDoS to keylogging.

Researchers Swapnil Patil and Yogesh Londhe from FireEye explain that while Zyklon has been in the wild in 2016, the recent wave is attaching to spam emails to deliver its malware.

Zyklon HTTP malware is described as a publicly-available and fully featured backdoor that is able to conduct DDoS attacks, steal passwords, act as a keylogger, update and remove itself; and acts as a downloader for additional plugins.

The malware can range from $75-$125 on underground marketplaces.

The latest wave arrives as a spam .ZIP attachment. That attachment contains a malicious .DOC file.

“The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over,” Researchers explain.

They go on to say that PowerShell is able to download the final payment from the Command & Control centre to execute the malware.

The malware uses two specific vulnerabilities to infect machines: The first vulnerability CVE-2017-8759 enables an attacker to use a malicious document for remote code execution.

The second vulnerability CVE-2017-11882 is a recently-discovered vulnerability that takes advantage of various versions of Microsoft Office 2016, 2013, 2010 and 2007.

It uses ‘Microsoft Office Memory Corruption Vulnerability’ and allows an attacker to run code in memory.

Researchers also say that Zyklon uses the Tor network as its Command and Control communication.

Researchers say that Zyklon can download additional plugins that include:

Browser Password Recovery, which can recover passwords from popular web browsers including Google Chrome, Mozille Firefox, Apple Safari, Internet Explorer, Comodo Dragon Browser, Opera Browser, Chrome Canary/SXS, CoolNovo Broswser, Flock Browser, SeaMonkey Browser and SRWare Iron Browser.

FTP Password Recovery, which can steal passwords from FTP applications including FileZilla, Dreamweaver, SmartFTP, FlashFXP, FTPCommander and WS_FTP.

Gaming Software Key Recovery, which steals keys from games including Age of Empires, FIFA, Call of Duty, NFS, The Sims, Quake, Half-Live, IGI and Star Wars.

Email Password Recovery, which can steal passwords from Microsoft Outlook and Microsoft Outlook Express, Mozilla Thunderbird, Windows Live Mail 2012, Incredimail, Foxmail, Windows Live Messenger, MSN Messenger, Windows Credential Manager, Google Talk, Gmail Notifier, PaltalkScene IM, Pidgin Messenger and Miranda Messenger.

Licence Key Recovery, which steals serial keys from popular software including Adobe, Microsoft Office, SQL Server and Nero.

Socks5 Proxy, which can create a reverse Socks5 proxy server.

The Zyklon malware can also hijack a user’s clipboard and can replaces a user’s copied Bitcoin address with one from the Zyklon control server.

Story image
Exabeam and Code42 partner up to launch insider threat solution
The solution will give customers a fuller picture of their environment, and will leverage automated incident response to obstruct insider threat before data loss occurs.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More