Unpatched Office Vulnerabilities Enabling Zyklon Malware Comeback | eWeek

Multifaceted Zyklon Malware Targets Microsoft Office Vulnerabilities

malware
Verfasst von
Pedro Hernandez
Pedro Hernandez
Jan 19, 2018
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Researchers with security company FireEye are warning Microsoft Office users that Zyklon has resurfaced, and attackers are preying on a recently-discovered vulnerability in the productivity software suite to spread the modular malware.

In addition to creating a backdoor to that can be used for password harvesting and keylogging, the malware can conscript infected systems into a botnet that launch DDoS (distributed denial-of-service) attacks.

“The malware can download several plugins, some of which include features such as crypto-currency mining and password recovery, from browsers and email software,” warned FireEye security researchers Swapnil Patil and Yogesh Londhe in an online advisory detailing the many dangers posed by Zyklon.


First spotted in the wild in early 2016, Zyklon has attracted renewed attention in recent days from security researchers concerned about its potential impact on users that rely on the popular business software.

Now attackers are setting their sights on businesses with deep pockets. According to FireEye’s assessment of the latest Zyklon malware campaign, attackers are focusing their efforts on financial services, insurance and telecommunications companies.

The researchers noticed that attackers had begun to rely on an Office vulnerability (CVE-2017-11882) to infect system using malicious email attachments in the Word file format. Once opened, the file triggers a download of another file from a URL contained in an embedded OLE (Object Linking and Embedding) object, which in turn contains a PowerShell command that finally downloads the payload.

Zyklon is not only an example of how malware marketplaces are making it easier for cyber-criminals to stage attacks, it shows that some purveyors of malicious code have an entrepreneurial streak, according to Chris Morales, head of security analytics at Vectra, a San Jose, Calif. startup specializing in AI-enabled threat and response technologies.

“What stands out the most to me is that the Zyklon malware is being packaged with pricing tiers based on features. We have seen many attacks now leveraging Tor for outbound communication and PowerShell for malware updates,” said Morales in email remarks sent to eWEEK. Tor is free open source software that enables anonymous web communication.

“We have even seen a large influx of crypto-currency mining tools over the last 6 months, in particular within universities,” added Morales, before noting that Zyklon gathers multiple malicious software components “into single package that can be neatly deployed by an end user, just like you would add features to the base price of a car.” A Tor-enabled variant of Zyklon that allows for outbound communications used in botnet operations raises the malware’s price from $75 to $125, he observed.

One way that businesses can avoid a Zyklon infection is by getting caught up with their patches. “Security updates were released last year and customers that have applied them, or have automatic updates enabled are protected,” a Microsoft spokesperson told eWEEK.

Zyklon isn’t the only revenue-generating tool that attackers have in their arsenal.

On Jan. 8, AlienVault warned of an application that attempts to mine the Monero crypto-currency. According to the security firm, proceeds are sent to Kim Il Sung University in North Korea. Attackers have also been known to target vulnerable SSH servers in a bid to mint fortunes by mining Monero on victims’ machines.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.