Saturday, May 18, 2024

New Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware that Creating Backdoor

Recently patched critical Microsoft office vulnerabilities are used for distributing powerful Zyklon Malware that has some sophisticated functionalities such as creating a backdoor in victims machine.

Zyklon Malware has widely spread across the world since 2016 and its mainly targeting Telecommunications, Insurance, Financial Services.

A Backdoor that creates by Zyklon Malware has capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.

Zyklon Malware Http being advertised in a popular underground marketplace with following Prices.

  • Normal build: $75 (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates: $15 (USD)
  • Payment Method: Bitcoin (BTC)

This malware downloads several plugins in a browser that will be later performing cryptocurrency mining and password recovery.

Also Read: Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile

How does Microsoft Office Vulnerabilities Exploited

Zyklon malware initially delivering through malicious spam emails that contain attached Zip file that has embedded malicious DOC file.

Once victims click the email, malware exploits 3 known Microsoft office vulnerabilities and PowerShell payload takes over the victims computer.

Later PowerShell script will communicate with Command & Control server and download the final payload and execute it in a victims machine.

According to FireEye Report, its exploit 3  Following Critical vulnerabilities,

  • CVE-2017-879
  • CVE-2017-11882
  • Dynamic Data Exchange (DDE) Mechanism 
The CVE-2017-879 vulnerability that discovered in September 2017 exploit using DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL.
CVE-2017-1188 exploit the MS office using  embedded OLE Object downloaded file, doc.doc, is XML-based and contains a PowerShell command and execute the payload
Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script

All these vulnerabilities are using same domain is used to download the next level payload using another PowerShell script and it is responsible for resolving the APIs required for code injection.

It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.

The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network and the malware sends a POST request to the C2 server.

Also, this Malware performing additional capabilities such as  Browser Password Recovery, FTP Password Recovery, Gaming Software Key Recovery, Email Password Recovery, License Key Recovery.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles