Criminals are delivering Zyklon malware using three vulnerabilities in Microsoft Office that were recently patched. Security researchers at FireEye reported earlier today that the malware campaign leveraging the relatively new Office exploits has been spotted in the wild, distributing an advanced malware that they called a full-featured backdoor.

The campaign exploits three recently disclosed vulnerabilities in Microsoft Office to execute a PowerShell script on the target system to eventually download the final payload. These vulnerabilities include:

  1. CVE-2017-8759: works by tricking target into opening a specially crafted file.
  2. CVE-2017-11882 (RCE vulnerability): 17-year-old memory corruption flaw patched in November that works when “upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object.”
  3. Dynamic Data Exchange Protocol (DDE): “Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution,” researchers wrote. “With the help of a PowerShell script, the next payload is downloaded.”

What is Zyklon and how it leverages Office bugs

Zyklon is a full-featured backdoor, first observed in the wild in early 2016, and offers a number of sophisticated capabilities to the attackers who primarily target telecommunications, insurance and financial services. The malware can do a number of things, including:

  • Keylogging
  • Password harvesting
  • Downloading and executing additional plugins
  • Conducting distributed denial-of-service (DDoS) attacks
  • Cryptocurrency mining
  • Self-updating and self-removal.

Researchers warned that “Zyklon also provides a very efficient mechanism to monitor the spread and impact.” The targets appear to be organizations where spam emails arrive carrying ZIP files that contain the malicious DOC file.

Img

The malware can also use Tor network to communicate with its command and control server. After that, attacker can send customized instructions to launch DDoS attacks, mine cryptocurrency or even steal data. Since Zyklon can download additional plugins for more features, they can be used to steal passwords from browsers and hijack clipboard to replace bitcoin addresses copied by the victim with addresses owned by the attacker.

Sophisticated campaigns targeting organizations often make use of recently disclosed vulnerabilities since enterprises are notorious for being slow at installing these patches. “These types of threats show why it is very important to ensure that all software is fully updated,” researchers wrote. “Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.”

– Technical details of this campaign are available over at FireEye.