Multifaceted Zyklon Malware Targets Microsoft Office Vulnerabilities

Security researchers at FireEye warn that Zyklon is using recent vulnerabilities found in Microsoft Office to make a comeback.


Researchers with security company FireEye are warning Microsoft Office users that Zyklon has resurfaced, and attackers are preying on a recently-discovered vulnerability in the productivity software suite to spread the modular malware.

In addition to creating a backdoor to that can be used for password harvesting and keylogging, the malware can conscript infected systems into a botnet that launch DDoS (distributed denial-of-service) attacks.

"The malware can download several plugins, some of which include features such as crypto-currency mining and password recovery, from browsers and email software," warned FireEye security researchers Swapnil Patil and Yogesh Londhe in an online advisory detailing the many dangers posed by Zyklon.

First spotted in the wild in early 2016, Zyklon has attracted renewed attention in recent days from security researchers concerned about its potential impact on users that rely on the popular business software.

Now attackers are setting their sights on businesses with deep pockets. According to FireEye's assessment of the latest Zyklon malware campaign, attackers are focusing their efforts on financial services, insurance and telecommunications companies.

The researchers noticed that attackers had begun to rely on an Office vulnerability (CVE-2017-11882) to infect system using malicious email attachments in the Word file format. Once opened, the file triggers a download of another file from a URL contained in an embedded OLE (Object Linking and Embedding) object, which in turn contains a PowerShell command that finally downloads the payload.

Zyklon is not only an example of how malware marketplaces are making it easier for cyber-criminals to stage attacks, it shows that some purveyors of malicious code have an entrepreneurial streak, according to Chris Morales, head of security analytics at Vectra, a San Jose, Calif. startup specializing in AI-enabled threat and response technologies.

"What stands out the most to me is that the Zyklon malware is being packaged with pricing tiers based on features. We have seen many attacks now leveraging Tor for outbound communication and PowerShell for malware updates," said Morales in email remarks sent to eWEEK. Tor is free open source software that enables anonymous web communication.

"We have even seen a large influx of crypto-currency mining tools over the last 6 months, in particular within universities," added Morales, before noting that Zyklon gathers multiple malicious software components "into single package that can be neatly deployed by an end user, just like you would add features to the base price of a car." A Tor-enabled variant of Zyklon that allows for outbound communications used in botnet operations raises the malware's price from $75 to $125, he observed.

One way that businesses can avoid a Zyklon infection is by getting caught up with their patches. "Security updates were released last year and customers that have applied them, or have automatic updates enabled are protected," a Microsoft spokesperson told eWEEK.

Zyklon isn't the only revenue-generating tool that attackers have in their arsenal.

On Jan. 8, AlienVault warned of an application that attempts to mine the Monero crypto-currency. According to the security firm, proceeds are sent to Kim Il Sung University in North Korea. Attackers have also been known to target vulnerable SSH servers in a bid to mint fortunes by mining Monero on victims' machines.

Pedro Hernandez

Pedro Hernandez

Pedro Hernandez is a contributor to eWEEK and the IT Business Edge Network, the network for technology professionals. Previously, he served as a managing editor for the network of...