Cybercriminals are always on the lookout for new ways to spread their creations and make money at the expense of other people. They don’t just make new threats and use the same tactics to distribute them – their schemes change all the time and can sometimes be quite elaborate. This time they’re using three Microsoft Office vulnerabilities that have been discovered relatively recently. Malware in question is called Zyklon and it was developed to attack financial service, insurance, and telecommunications companies.
It was first noticed by the security researchers from FireEye and they say that con artists behind this threat aim to steal users’ passwords and personal data that relate to their cryptocurrency wallets. This isn’t just done to break into various types of accounts and be done with it – no, the perpetrators think forward and have a goal of using this information for their own purposes in the future. Let’s now talk about what it is exactly that they do and what one should be on the lookout for.
The attack itself is pretty basic – spam emails containing infected ZIP archives are sent out and various types of .doc files can be found in them. They’re rigged in such a way that they start exploiting one of the three Office vulnerabilities as soon as they’re opened. The first of those is a .NET framework bug (CVE-2017-8759) which was patched by Microsoft last October. If a user opens the compromised document, the perpetrators behind Zyklon get the ability to put malicious programs on his/her computer, get their hands on personal data and also make new privileged accounts, according to Microsoft. FireEye adds that the infected .doc files have an OLE Object inside of them that triggers the download of an additional .doc file from a stored URL as soon as they’re opened.
The second of the vulnerabilities is called CVE-2017-11882 and is actually 17 years old. The bug could be found in an Office executable named Microsoft Equation Editor and it was patched as part of Microsoft’s November 2017 Patch Tuesday. The result of this vulnerability is pretty similar to CVE-2017-8759 – the difference is, the infected document downloads another one when it’s opened and this other one contains a PowerShell command which is used to download the final payload.
And next comes the final one, the Dynamic Data Exchange (or DDE) which isn’t even considered a vulnerability by Microsoft. The company declares it to be a product feature, but it should be noted that a guidance for admins was released in November, containing the instructions on how to safely disable the feature via new registry settings for Office. This is quite telling and shows that Microsoft is aware of possible problems. DDE itself is a useful protocol that helps to establish the way applications send messages and share data via shared memory. But cybercriminals have been extremely successful in exploiting it over the past year, employing macro-based malware to execute viruses, exploits and droppers. And, according to FireEye, the DDE is also used to deliver a dropper in most of the attacks that happened recently.
There’re several other things the security researchers mention. The same domain is employed to download the next level payload (Pause.ps1) in all of the aforementioned cases. It’s a PowerShell script which is Base64 encoded and it’s used to resolve the APIs that are needed for code injection. And the main goal of Pause.ps1 lies in delivering the “core payload”, which is a Zyklon malware itself.
Let’s now talk about it in more detail. It’s a backdoor which is fully equipped with all the necessary features and can be used to steal passwords, download and execute additional plugins, perform DDoS attacks, and do the keylogging. It’s also capable of updating and removing itself, so the con artists have a vicious tool on their hands which can help them accomplish everything they want. Zyklon can even download plugins that are used to mine cryptocurrency – nothing is missed here. And passwords can be stolen from both the browsers and email software.
Traces are covered by cybercriminals as well – the communications with the command-and-control of this virus are done through the Tor network. The Zyklon executable contains another encrypted file in its .Net resource section which is called “tor”. It’s decrypted and put into InstallUtiil.exe and it then functions as a Tor anonymizer. From that moment on, the proverbial floodgates are opened, as new plugins could be downloaded, passwords could be stolen, proxies could be opened to establish reverse Socks5 proxy servers on compromised host systems, and that’s just scratching the surface of everything this threat is capable of.
FireEye concludes its report by saying that it’s extremely important for firms to have the latest versions of security software installed and keep them working all the time. Online safety should be treated very seriously and employees should be aware of all the dangers that might await them on the Internet. Con artists behind malware such as Zyklon aren’t going to stop – quite the contrary, they will continue broadening their scope. They want to earn as much as they can and are willing to do anything to get what they want. Ruined plans and missed deadlines don’t concern them – enriching their bank accounts is the only thing that matters.
Some of the other recommendations that help reduce the possibility of having the PC network compromised by threats include limiting the visits to dubious pages and refraining from clicking on links and advertisements that can be found on them. The attachments in spam emails should be ignored and emails themselves are best to be deleted as soon as possible. And, as was mentioned above, keeping security software updated and running all the time is also extremely important to ward off possible attacks. If those recommendations are followed, cybercriminals have fewer chances of making their schemes successful.