Security researchers have identified a new in-kind Zyklon malware campaign that spreads advanced botnet malware using at least three newly disclosed vulnerabilities in Microsoft Office.
Nicknamed Zyklon, the complete malware reappeared after almost two years and focused mainly on telecommunications, insurance, and financial services.
Active since early 2016, Zyklon malware is an HTTP botnet malware that communicates with its command and control servers on the anonymous Tor network and allows hackers to steal key logs, sensitive data, such as passwords stored in Web browsers.
Zyklon malware can also run additional plug-ins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.
Several versions of Zyklon malware have already been announced on a popular underground market for $ 75 (normal build) and $ 125 (Tor compatible build).
According to a report recently released by FireEye, the attackers behind the campaign are exploiting three vulnerabilities below in Microsoft Office that execute a PowerShell script on the target computers to download the final payload of their C & C server.
1) .NET Framework RCE Vulnerability (CVE-2017-8759) – This remote code execution vulnerability exists when the Microsoft .NET Framework processes an unreliable entry, allowing an attacker to gain control of an interesting system. to fool victims into opening a specially crafted malicious document file sent via email. Microsoft has already released a security patch for this flaw in the September updates.
Also Read: Top 5 Funniest Super Bowl Commercials 2018
2) Microsoft Office RCE Vulnerability (CVE-2017-11882): A 17-Year Memory Corruption Fault Corrected by Microsoft in November Patch Update Enables Remote Attacker to Run Malicious Code on Target Systems without requiring interaction from the user after opening a malicious document.
3) Dynamic Data Exchange Protocol (DDE Exploit): This technique allows hackers to take advantage of an integrated feature of Microsoft Office, called DDE, to execute code on the target device without requiring macro activation or corruption. memory.
As explained by the researchers, hackers are actively exploiting these three vulnerabilities to provide Zyklon malware using spear phishing e-mail, which usually comes with an attached ZIP file containing a malicious Office doc file.
Once opened, the malicious doc file with one of these vulnerabilities immediately executes a PowerShell script, which ultimately downloads the final payload, namely Zyklon HTTP malware, on the infected computer.
“In all of these techniques, the same domain is used to download the next-level payload (Pause.ps1), which is another PowerShell script encoded in Base64,” FireEye researchers said.
“The script Pause.ps1 is responsible for resolving the APIs required for code injection and also contains the injectable shellcode.”
“The injected code is responsible for downloading the final payload of the server, while the payload for the final phase is a PE executable compiled with the.Net framework”.
Interestingly, the PowerShell script connects to a useless IP address (for example HTTP: // 3627732942) to download the final payload.
What is the IP address without a dot? If you do not know, IP addresses without dots, sometimes called “decimal places”, are decimal values of IPv4 addresses (represented as quad notation). Almost all modern web browsers resolve the decimal IP address to its equivalent IPV4 address when opened with “HTTP: //” after the decimal value.
For example, the IP address of Google 188.8.131.52 can also be represented as HTTP: // 3627732942 in decimal values (Try this online converter).
The best way to protect yourself and your organization from such Zyklon malware attacks are always to suspect any unannounced documents sent by email and never click on the links in these documents if you do not verify the source correctly.
The most important thing is to keep the software and systems up-to-date because the threat actors incorporate newly discovered vulnerabilities that are corrected in popular Microsoft Office software, in this case, to increase the risk of successful infections.