Zyklon HTTP malware is a very powerful one in the field. It’s a publicly available, full-featured backdoor malware that can work as a keylogger, download and execute additional plugins, conduct DDoS attacks, self-updating and self-removal. This serious bug is now using MS Office’s vulnerability to spread across systems.

According to FireEye researchers, the attackers are now trying to harvest passwords and cryptocurrency wallet data and also, make a target for future DDoS (Distributed Denial of Service) attacks. FireEye researchers first identified this malware. According to their description, the attack begins with a malicious ZIP file from spam campaigns. That ZIP file contains one or several types of DOC file(s) that use the Office’s vulnerabilities to exploit the PC.

The flaws

The first vulnerability the malware uses is a .NET Framework bug (CVE-2017-8759). Microsoft patched the bug in October 2017. Using this bug, the infected document can allow attackers to install programs, data manipulation and even create a new, privileged account. As FireEye described, the infected DOC comes up with an embedded OLE Object. When executing, it downloads another additional DOC file from a stored URL.

The second vulnerability is a pretty old bug –17 years old! It’s the infamous remote code execution bug (CVE-2017-11882). It’s found in an Office executable named “Microsoft Equation Editor”. As a part of Nov. 2017 Patch, Microsoft patched the bug. This bug also allows the infected DOC file to download another additional DOC containing a PowerShell command that downloads the final payload.

The third flaw, DDE (Dynamic Data Exchange) isn’t considered a flaw by Microsoft. Instead, they describe it as their product’s feature. DDE is the protocol used for sending and sharing data through shared memory. However, hackers have been successfully exploiting DDE with macro-based malware to launch exploits, droppers etc. In the most recent attacks, DDE delivered a dropper, according to FireEye.

Zyklon’s capabilities

According to FireEye, Zyklon is immensely powerful, “Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software”.

If we focus on the recent attacks, Zyklon is mostly targeting businesses, including telecom companies, financial institutions, and insurance.

The fix

Zyklon was dormant for years until it woke up recently. MS Office is a really popular office suite for everyone – personal to business level. The reason Zyklon is able to infect systems is due to the fault of us, users.

Most of the time, we don’t update our apps. We continue to use them as if everything’s ok. The older version of apps may contain bugs/flaws that may allow illegal access. That’s why developers/companies release newer versions. This is the perfect situation for Zyklon to attack.

To stay protected, update your system to the latest. Update all your software, especially MS Office and Windows. Zyklon is using .NET Framework flaws, so that’s the top priority. If you’re updating after a long time, it will take quite a few hours to completely update your entire system. You might like using WSUS Offline Update. This tool downloads all the updates and saves them offline. You can also install all the update one by one using the tool. Learn how to use WSUS Offline Update.