Zyklon, a fully featured backdoor, is making the rounds using recently patched vulnerabilities in Microsoft Office.
The dismally named code has been around since early 2016; it’s an HTTP malware with a wide range of capabilities, including keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks and self-updating and self-removing. FireEye researchers, who uncovered this latest wave of attacks, said that it also can download several plugins from browsers and email software, some of which include features such as cryptocurrency mining and password recovery. Additionally, Zyklon has a mechanism to monitor the spread and impact of its activities and uses the Tor anonymity network to communicate with its command-and-control (C2) server.
In an analysis, FireEye found that Zyklon is being delivered primarily through spam emails with an attached malicious Word document, targeting telecommunications, insurance and financial services. It’s using two Microsoft vulnerabilities: CVE-2017-8759, which was discovered by FireEye in September 2017, and CVE-2017-11882, a remote code execution bug.
CVE-2017-8759 is a .NET framework issue patched by Microsoft in October. An exploit allows attackers to install programs, manipulate data and create new privileged accounts. The second vulnerability was patched in November – though it was found to have existed for 17 years.
The threat actors are banking on administrators taking their time patching – a common tactic. Users should, of course, update their systems as soon as possible, given Zyklon’s virulent abilities.
“Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections,” FireEye researchers said in their analysis. “These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.”
This becomes even more critical given that the aforementioned plugins up the ante significantly in terms of potential damage. When enabled, Zyklon can, for instance, recover passwords from popular web browsers, including Google Chrome, Mozilla Firefox, Internet Explorer, Opera Browser, Apple Safari and many others. It also can support FTP password recovery from FileZilla, Dreamweaver and others and can collect email passwords from Microsoft Outlook, Mozilla Thunderbird, Windows Live Mail and Windows Live Messenger, MSN Messenger, Google Talk, GMail Notifier and so on.
Interestingly, one of the plugins allows Zyklon to recover PC gaming software keys from a range of popular games, including "Battlefield," "Call of Duty," "FIFA," "Age of Empires," "The Sims," "Half-Life" and "Star Wars."
Further, the malware can automatically detect and decrypt the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe and Nero; can establish a reverse SOCKS5 proxy server on infected host machines; and has the ability to hijack Bitcoin clipboards.
Suffice it to say, Zyklon can wreak havoc – and for not that much money. Researchers said that a normal build goes for $75, while a Tor-enabled build costs just $125.
“Clearly this is an infection that supports the urgency to keep systems patched with automated updates,” said Michael Patterson, CEO of Plixer, via email. “Although a system might be protected against Zyklon, variants of malware are constantly being released in a zero-day fashion. These infections can lead to costly clean-ups. As a proactive measure, companies with Microsoft products deployed should be collecting network traffic flows from all routers and virtual servers to perform network traffic analysis in the event of a breach. Detecting and locating the source of the breach event quickly is of paramount importance. For example, Tor traffic, which is unusual on a network, can easily be found and stopped by looking at the traffic flow. Leveraging traffic analytics and adding context can lead to faster remediation and go a long way towards helping keep a company safe.”