After remaining dormant for a while, Zyklon malware has staged a comeback. Yes, the trojan spotted for the first time in 2016 is reported to be infecting numerous Windows systems via a deceptive spam campaign, urging people to download malicious ZIP archives. It takes advantage of vulnerabilities present in Microsoft Office software.
Zyklon Malware exploiting Microsoft Office flaws for infecting Windows
Zyklon is a virus that runs on MS-DOS. It is a publicly available and could be used for multiple purposes such as espionage campaigns, DDoS attacks or to mine cryptocurrency.
The incident was first noticed when security experts from FireEye discovered a new strain of the Zyklon malware being delivered via vulnerabilities in Microsoft Office. The team reported the malware was primarily targeting telecommunications and financial organizations.
We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure).
The following industries have been the primary targets in this campaign:
- Financial Services
Once delivered and executed, an encrypted file in .NET resource section named tor gets decrypted and injected instantly into an instance of InstallUtiil.exe, and functions as a Tor anonymizer. After the connection is established with the server, the malware communicates with its control server using several commands. It also decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero. Once done, Zyklon acquires the ability to hijack the clipboard and might replace the user’s copied bitcoin address with an address served up by the actor’s control server.
As the potential targets have been identified, it is highly likely that the threat actors will eventually move outside the scope of their current targeting. To stay safe, users should ensure that all their software is fully updated.