Criminals are delivering Zyklon HTTP malware using three vulnerabilities in Microsoft Office that were recently patched. Security researchers at FireEye reported that the malware campaign leveraging the relatively new Office exploits to execute a PowerShell script on the target system to eventually download the final payload, has been spotted in the wild since early 2016, providing threat actors sophisticated capabilities such as a full-featured backdoor capable of keylogging, the ability to execute additional plugins like cryptocurrency miners, conduct distributed denial-of-service (DDoS) attacks, self-update and self-removal.
These vulnerabilities include:
1. CVE-2017-8759: Patched by Microsoft last October, it works by tricking target into opening a specially crafted file. In the context of the attack described by FireEye, the infected DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from a stored URL
2. CVE-2017-11882 (RCE vulnerability): 17-year-old memory corruption flaw patched in November that works when “upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object.”
3. Dynamic Data Exchange Protocol (DDE): “Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution,” researchers wrote. “With the help of a PowerShell script, the next payload is downloaded.”
The attacks are targeting telecommunications, insurance and financial service firms.
Attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future DDoS attacks.
The malware is designed to recover passwords from popular web browsers, PC gaming software, and email services among other software. The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero, according to a Jan. 17 Trend Micro blog post.
Researchers warned that “Zyklon also provides a very efficient mechanism to monitor the spread and impact.”
These vulnerabilities include:
1. CVE-2017-8759: Patched by Microsoft last October, it works by tricking target into opening a specially crafted file. In the context of the attack described by FireEye, the infected DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from a stored URL
2. CVE-2017-11882 (RCE vulnerability): 17-year-old memory corruption flaw patched in November that works when “upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object.”
3. Dynamic Data Exchange Protocol (DDE): “Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution,” researchers wrote. “With the help of a PowerShell script, the next payload is downloaded.”
The attacks are targeting telecommunications, insurance and financial service firms.
Attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future DDoS attacks.
The malware is designed to recover passwords from popular web browsers, PC gaming software, and email services among other software. The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero, according to a Jan. 17 Trend Micro blog post.
Researchers warned that “Zyklon also provides a very efficient mechanism to monitor the spread and impact.”