Using Microsoft Office? It’s time to get alert as the cybercriminals are misusing MS Office vulnerabilities to spread the Zyklon malware. The prime targets of this malware are insurance, telecommunication and financial services. Zyklon HTTP botnet malware has been detected in the year 2016 and has affected many computer users who were not using the required security measures for their devices. The malware was observed to be involved in a number of DDOS attacks, which was further include TCP flood, SYN flood, UDP flood, HTTP flood and slowloris.
With the intention of recovering the password from popular web browsers, email services and gaming software, Zyklon automatically detects and then decrypt the activation keys or the serial numbers more than hundred software. The software includes Nero, Adobe, SQL Server, MS Office and more. This harmful malware also has the capability executing additional plugins such as cryptocurrency miners, self-update, self-removal and more.
According to the research, the malware is distributing through malicious spam attachments in a zip file, which further includes a DOC file exploiting minimum three known vulnerabilities in the most used software Microsoft Office. Two of these three vulnerabilities of the Office suite are CVE-2017-8759 and CVE-2017-11882. Zyklon connects to its command and control (C2) server via the Onion Router network and offers an excellent way to track its spread and effect.
Chris Morales, Vectra’s head of security analytics said that “What makes it apart is that the malware includes pricing tiers depending on the features”. Those with bad intentions of implementing this malware into the MS Office vulnerabilities can buy it for $75 or the Tor (Onion Router network) embedded pack for $125. These threat actors can also purchase the updates for $15 by making the payment into Bitcoins.
The head of security analytics at Vectra has also mentioned that Zyklon is a capable piece of code having intent to spy, distribute, infect and steal your confidential information. He also said that the Windows vulnerabilities utilized for this malware was first observed at its height via the detection of some other piece of malware, leaving no clue how long the threat actors have known about the vulnerability or when they embed the malware.
According to the report by a threat researcher or a well-renowned security company “This is true of every vulnerability discovered and published”. Chris Morales also said that the attackers don’t want to publish or tell about any kind of information they have. They may sit on this information for a really long time before depending upon an exploit for vulnerability in some other piece of malware. Co-founder as well as chief technology officer of SoleBIT Labs, Meni Farjon has given a statement that the vulnerabilities chosen by the attackers behind the Zyklon are exceptional as they all have the same characteristic of being 100% trusted across almost all the versions of Windows operating system.
Farjon said in a statement that “generally the code execution misuses combine memory based corruptions that may cause untrustworthy circumstances on some victim PC’s, resulting in failing to infect. These vulnerabilities don’t affect the memory and are mostly fully logical.” He also added that the errors will also affect even an old Windows operating system with extremely high reliability over infections or viruses. This proves that the attackers of Zyklon malware are planning for a big campaign at one point or another. Vice-president of products at Minerva Labs, Lenny Zeltser, told to the media that the technique utilized in the Zyklon campaign proves some of the ways that adversaries transfer information security defenses, which is utilizing MS Office documents together with PowerShell along with employing memory injections, is mostly works against detection-based anti-malware tools.
This clearly raises a need for some kind of baseline anti-virus protection, Zeltser added. These types of threats indicate why it mandatory to make sure that all the software are fully updated.