Hackers are focusing on the insurance, telecoms, and financial service sectors with Zyklon malware. A large-scale spam email campaign has been discovered that leverages three separate Microsoft Office vulnerabilities to install the malicious payload.

Zyklon malware has been seen before. The malware variant was first seen at the beginning of 2016, but it stopped being seen soon after and was not extensively used until the start of 2017.

Zyklon malware is a backdoor with a wide variety of malicious functions. The malware behaves as a password harvester, keylogger, and data scraper, obtaining sensitive data and obtaining credentials for further attacks. The malware can also be implemented to complete DoS attacks and mine cryptocurrency.

The most recent variant of Zyklon malware can install and run various plugins and additional malware variants. It can spot, decrypt, and steal serial keys and license numbers from over 200 software packages and can also hijack Bitcoin addresses.  All told, this is a strong and particularly nasty and damaging malware variant that is best avoided.

While the most recent campaign uses spam email, the malware is not shared as an attachment. A zip file is attached to the email that includes a Word document. If the document is extracted, opened, and the embedded OLE object run, it will lead to the download of a PowerShell script, using one of three Microsoft Office weaknesses.

The first vulnerability is CVE-2017-8759: A Microsoft NET vulnerability that was addressed in a patch released by Microsoft in October.

The second ‘vulnerability’ is Dynamic Data Exchange (DDE) – a protocol part of Office that allows data to be shared via shared memory. This protocol is used to deliver a dropper that will download the malware payload. This vulnerability has not been addressed with a patch, although Microsoft has released guidance on how to disable the feature to prevent exploitation by hackers.

The third vulnerability is much older. CVE-2017-11882 is a remote code execution flaw in Microsoft Equation Editor that has been in existence  in 17 years. The flaw was only recently identified and patched by Microsoft in November.

The next stage of infection – The PowerShell script – serves as a dropper for the Zyklon malware payload.

According to the FireEye security experts who identified the campaign, the malware can remain unseen by hiding communications with its C2 using the Tor network. “The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.”

Campaigns like this highlight the importance of applying patches quickly. Two of the vulnerabilities were patched in the Autumn of 2017, yet many groups have yet to apply the patches and remain vulnerable. If patches are not run, it will only be a matter of time before vulnerabilities are targeted.

FireEye researchers have warned that while the campaign is currently only focusing on three industry sectors, it is probable that the campaign will grow to target other industry sectors in the near future.

The advice is to put in place an advanced cloud-based anti-spam service such like SpamTitan to identify and quarantine malicious emails,  and ensure that operating systems and software is kept updated.