Zyklon, an HTTP botnet malware revamped after 2016 by exploiting the vulnerabilities present in Microsoft Office. Security researchers at FireEye reported that a malware named Zyklon, capable of stealing confidential data, key logs and much more is being spread by attackers using three susceptibilities of Microsoft Office.
As per initial reports, Zyklon Malware which basically spread by spam emails as an attachment mainly targets on telecommunications and insurance industries along with financial services.
How Lethal Can This Malware Be?
The public availability of this malware makes it more dreadful. The malware has been advertised for sale in dark web with a price tag of USD 75 and USD 125. This means anyone with bad intentions and key skill of hacking can easily get this malware.
Moreover, the malware when configured with its servers over TOR network (network mainly used by attackers and hackers) can easily steal the passwords, download an infected plugin to conduct DDoS (Distributed Denial of Service) attacks. Also, the malware can infect the browser with bogus plugins for mining cryptocurrencies without user’s knowledge.
How This Malware is Exploiting Microsoft Office Vulnerabilities?
The security researchers at FireEye stated that the malware is distributed via Zip file which itself contains a malicious DOC file. Then the infected document file exploits the three Microsoft Office Vulnerabilities stated below to download this lethal malware from its servers.
Exploit via vulnerability in .NET Framework (CVE-2017-8759): This loophole which was originally reported by FireEye researchers to Microsoft allows an attacker to gain access to any targeted system. The attacker first sends an infected doc file to victim via an email. Once the victim opens that infected doc it allows the doors for attackers to gain explicit access to victim’s PC.
Last year, in the month of September, a security patch for this vulnerability was released by Microsoft.
Exploit via Microsoft Remote Code Execution vulnerability (CVE-2017-11882): This vulnerability existed for 17 long years before finally being resolved by a security patch from Microsoft in November 2017. Using this vulnerability, attackers could execute any harmful code on the targeted machine without even user intervention.
Exploit via Microsoft Dynamic Data Exchange (DDE) vulnerability: As per Microsoft, this is not a vulnerability but an inbuilt feature of Microsoft Office that allows apps to share data. However, when it came to notice of Microsoft that attackers are using this DDE feature to execute codes in the targeted machine without even enabling Macros, then it issued the guidelines to safely disable this feature via change in some registry settings of MS office.
The malware after exploiting any of these loopholes of Microsoft Office then executes a PowerShell script and fetches the Zyklon Malware from its servers to put onto the target machine.
Also Read: Trojan horse! Take Prevention
So, guys, before we wind up we just recommend you update all the software installed on your PC along with anti-virus software to the latest. Also, never open any document that you receive on email via unknown sender.