Story image

Zyklon HTTP malware creates gaping backdoors through MS Office exploits

22 Jan 2018

Telecommunications, insurance and financial service providers are the latest targets of a multi-feature backdoor malware called Zyklon, which can conduct a number of different attacks from DDoS to keylogging.

Researchers Swapnil Patil and Yogesh Londhe from FireEye explain that while Zyklon has been in the wild in 2016, the recent wave is attaching to spam emails to deliver its malware.

Zyklon HTTP malware is described as a publicly-available and fully featured backdoor that is able to conduct DDoS attacks, steal passwords, act as a keylogger, update and remove itself; and acts as a downloader for additional plugins.

The malware can range from $75-$125 on underground marketplaces.

The latest wave arrives as a spam .ZIP attachment. That attachment contains a malicious .DOC file.

“The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over,” Researchers explain.

They go on to say that PowerShell is able to download the final payment from the Command & Control centre to execute the malware.

The malware uses two specific vulnerabilities to infect machines: The first vulnerability CVE-2017-8759 enables an attacker to use a malicious document for remote code execution.

The second vulnerability CVE-2017-11882 is a recently-discovered vulnerability that takes advantage of various versions of Microsoft Office 2016, 2013, 2010 and 2007.

It uses ‘Microsoft Office Memory Corruption Vulnerability’ and allows an attacker to run code in memory.

Researchers also say that Zyklon uses the Tor network as its Command and Control communication.

Researchers say that Zyklon can download additional plugins that include:

Browser Password Recovery, which can recover passwords from popular web browsers including Google Chrome, Mozille Firefox, Apple Safari, Internet Explorer, Comodo Dragon Browser, Opera Browser, Chrome Canary/SXS, CoolNovo Broswser, Flock Browser, SeaMonkey Browser and SRWare Iron Browser.

FTP Password Recovery, which can steal passwords from FTP applications including FileZilla, Dreamweaver, SmartFTP, FlashFXP, FTPCommander and WS_FTP.

Gaming Software Key Recovery, which steals keys from games including Age of Empires, FIFA, Call of Duty, NFS, The Sims, Quake, Half-Live, IGI and Star Wars.

Email Password Recovery, which can steal passwords from Microsoft Outlook and Microsoft Outlook Express, Mozilla Thunderbird, Windows Live Mail 2012, Incredimail, Foxmail, Windows Live Messenger, MSN Messenger, Windows Credential Manager, Google Talk, Gmail Notifier, PaltalkScene IM, Pidgin Messenger and Miranda Messenger.

Licence Key Recovery, which steals serial keys from popular software including Adobe, Microsoft Office, SQL Server and Nero.

Socks5 Proxy, which can create a reverse Socks5 proxy server.

The Zyklon malware can also hijack a user’s clipboard and can replaces a user’s copied Bitcoin address with one from the Zyklon control server.

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.