Security researchers have spotted a completely new malware campaign inside wild which spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office.
Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years along with primarily found targeting telecommunications, insurance along with financial services.
Active since early 2016, Zyklon can be an HTTP botnet malware which communicates with its command-along with-control servers over Tor anonymising network along with allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers along with email clients.
Zyklon malware can be also capable of executing additional plugins, including secretly using infected systems for DDoS attacks along with cryptocurrency mining.
Different versions of the Zyklon malware has previously been found being advertised on a favorite underground marketplace for $75 (normal build) along with $125 ( Tor-enabled build).
According to a recently published report by FireEye, the attackers behind the campaign are leveraging three following vulnerabilities in Microsoft Office which execute a PowerShell script on the targeted computers to download the final payload by its C&C server.
1) .NET Framework RCE Vulnerability (CVE-2017-8759)—which remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, allowing an attacker to take control of an affected system by tricking victims into opening a specially crafted malicious document file sent over an email. Microsoft already released a security patch because of which flaw in September updates.
2) Microsoft Office RCE Vulnerability (CVE-2017-11882)—which’s a 17-year-old memory corruption flaw which Microsoft patched in November patch update allows a remote attacker to execute malicious code on the targeted systems without requiring any user interaction after opening a malicious document.
3) Dynamic Data Exchange Protocol (DDE Exploit)—which technique allows attackers to leverage a built-in feature of Microsoft Office, called DDE, to perform code execution on the targeted device without requiring Macros to be enabled or memory corruption.
As explained by the researchers, attackers are actively exploiting these three vulnerabilities to deliver Zyklon malware using spear phishing emails, which typically arrives with an attached ZIP file containing a malicious Office doc file.
Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.
“In all these techniques, the same domain can be used to download the next level payload (Pause.ps1), which can be another PowerShell script which can be Base64 encoded,” the FireEye researchers said.
“The Pause.ps1 script can be responsible for resolving the APIs required for code injection. which also contains the injectable shellcode.”
“The injected code can be responsible for downloading the final payload by the server. The final stage payload can be a PE executable compiled with .Net framework.”
Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.
What can be Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as ‘Decimal Address,’ are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with “http://” following the decimal value.
For example, Google’s IP address 188.8.131.52 can also be represented as http://3627732942 in decimal values (Try which online converter).
The best way to protect yourself along with your organisation by such malware attacks are always to be suspicious of any uninvited document sent via an email along with never click on links inside those documents unless adequately verifying the source.
Most importantly, always keep your software along with systems up-to-date, as threat actors incorporate recently discovered, yet patched, vulnerabilities in favorite software—Microsoft Office, in which case—to raise the potential for successful infections.