MS Office vulnerabilities used to spread Zyklon malware

Zyklon is used for a variety of malicious activities.

---

Researchers at security company, FireEye, have noticed that cyber criminals are exploiting fairly new vulnerabilities in MS Office to spread Zyklon HTTP malware.

Zyklon HTTP Botnet malware has been observed in the wild since 2016, is readily available to attackers in online dark marketplaces, and has been used for a variety of nefarious activities. It has the ability to carry out various types of DDOS attacks, including HTTP flood, TCP flood, UDP flood, SYN flood, and Slowloris.

In addition, once it has infected a system, it has full backdoor capabilities, such as keylogging, password harvesting, stealing confidential data and executing additional plugins. Zyklon is also a downloader and delivery mechanism for Cerber encryption ransomware.

It has primarily targeted the telecommunications, insurance and financial services industries.

FireEye researchers say that they have seen the recent slew of Zyklon malware being delivered primarily via spam e-mails that contain a ZIP file containing a malicious DOC file.

The document files exploit at least three known vulnerabilities in MS Office. Upon execution, it immediately runs a PowerShell script - a task automation and configuration management framework from MS - which is responsible for downloading the final payload, Zyklon, from the command and control (C&C) server.

The C&C server is used by attackers to maintain communications with compromised systems within a target network - to execute it.

Cyber criminals who take advantage of vulnerabilities in popular software, greatly increase their chances of success, says Simon Campbell-Young, MD of Intact Software Distribution. "The best way for businesses and individuals to protect themselves from such attacks, is to always err on the side of caution, and never, ever click on links or attachments in e-mails unless 100% certain they are from a legitimate source."

Moreover, he advises to always keep software and systems fully, and instantly updated. "Cyber crooks take advantage of new vulnerabilities, even those that have been patched, trusting that many businesses are a bit slack when it comes to patching instantly. Don't fall into this trap."