Security researchers have spotted a new malware campaign. This campaign is using three recently disclosed Microsoft Office vulnerabilities to spread an advanced botnet malware. This malware, dubbed Zyklon, has resurfaced after nearly two years and is targeting telecommunications, insurance, and financial services.
Zyklon has been in existence since 2016. The HTTP botnet malware uses the Tor anonymizing network to communicate with its command-and-control servers which allow hackers to remotely and secretly steal key logs and vital, sensitive data, for instance, passwords stored in web browsers and email clients. Microsoft Office users should be warned.
The Zyklon Malware
The Zyklon malware is a publically available virus, with full features backdoor capable of conducting distributed denial-of-service (DDoS) attacks, self-updating and self-removal, downloading and executing additional plugins, and password harvesting. According to FireEye, the malware can also ‘‘download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software.”
The malware is available in different versions and has previously been advertised in underground marketplaces with the normal build version going for $75 while the Tor-enabled build cost some $125.
Research has shown that attackers are leveraging the three vulnerabilities found in Microsoft Office that execute a PowerShell script on the computers targeted by the hackers to download the final payload from its C&C server.
Microsoft Office Vulnerabilities
- NET Framework RCE Vulnerability (CVE-2017-8759) – this is a remote code execution that exists the moment Microsoft .NET Framework processes an untrusted This gives the attacker an opportunity to control an infected system by tricking users to open a specially constructed malicious document file they send via email. In their September updates, Microsoft already acknowledged the presence of this vulnerability.
- Microsoft Office RCE Vulnerability (CVE-2017-11882) – Microsoft this is a 17-year-old memory corruption fault that Microsoft patched in their November updates. It gives the hacker a chance to execute malicious code on the targeted systems without having to interact with the user the moment they open the malicious document.
- Dynamic Data Exchange Protocol(DDE Exploit)– this is a technique that allows attackers to leverage a built-in feature of Microsoft Office known as DDE for code execution on the target system without requiring Macros enabling or memory corruption. Microsoft, however, do not recognize this one as a vulnerability and insists it is a product feature. Nonetheless, in their November update, they released a guide on how administrators can safely disable the feature using the new registry settings for Office.
DDE is indeed a protocol that establishes how apps send messages as well as how they share data through shared memory. However, this has not stopped attackers from successfully exploiting DDE to launch droppers, exploits, and malware. In the most recent attacks, FireEye experts said that the DDE is also used to deliver a dropper.
How Are The Attackers Doing It?
As the security researchers explained, the attackers are using the above three vulnerabilities to deliver Zyklon malware using spear phishing emails. Typically, these emails come with an attached ZIP file which contains a malicious Office doc file. The malicious doc file is equipped with one of the vulnerability, and once it is opened, it immediately runs a PowerShell script which ultimately downloads the final payload, aka the Zyklon HTTP malware to the infected system.
According to FireEye security researchers, all the techniques use a similar domain to download the next level payload (Pause.ps1), which is basically another PowerShell script that is Base64 encoded. While the Pause.ps1 is tasked with resolving the APIs required for code injection, “it also contains the injectable shellcode,” the experts said. It is this injectable code that is responsible for downloading the malware from the server. The final stage payload is a PE executable compiled with .Net framework.
Perhaps interestingly, the PowerShell script connects to a dotless IP address to download the final payload.
What is a dotless IP address?
A dotless IP address, sometimes also referred to as ‘Decimal Address,’ is a decimal value of IPv4 address, which is represented as a dotted-quad notation. Almost all modern browsers resolve decimal IP address to its corresponding IPV4 address when it is opened with “http://” following the decimal value.
For instance; it is possible to represent Google’s IP address 126.96.36.199 http://3627732942 in decimal values. You should probably try this online converter.
How To Protect Yourself
It is very important for you to protect yourself and your organization from the attacks. To do that, it is advisable always to be suspicious of any uninvited document you receive through your email. Always avoid clicking on any links accompanying such documents unless you have adequately verified the source.
It is also very crucial that you keep your software and systems up to date. This is because the threat actors are incorporating recently discovered, but patched, vulnerabilities in popular software (in this particular case Microsoft office) to increase the chances of successful infections.
And as always, it is always a good idea to use a verified VPN via Vpnadviser.com.