A new malware called Zyklon manipulates three Microsoft Office vulnerabilities. How does Zyklon malware work, and what vulnerabilities does it exploit?
Zyklon malware lurks in a zip file containing up to three malicious Microsoft Office files.
The botnet malware comes to life when an innocent user accidentally opens a zipped file that is typically attached to a phishing email. The exploit executes a PowerShell script to download a final payload from an attacker's command-and-control server. From there, the attacker can collect passwords and cryptocurrency wallet data, enabling him to use them against the target enterprise systems.
The first vulnerability the Zyklon malware exploits is a bug in the .NET framework -- CVE-2017-8789 -- where a malicious document gives the attacker the ability to remotely install programs, change data and create privileged accounts. Clicking on or hovering over an embedded Object Linking and Embedding object automatically downloads a malicious .doc file from an URL in the background of the system. However, the .NET framework was patched by Microsoft in October 2017.
The second vulnerability is the memory corruption flaw in the Microsoft Equation Editor -- CVE-2017-11882. An attacker can take advantage of this flaw to execute arbitrary code. Because no user interaction is required after the user opens the Editor, it took 17 years for Microsoft to recognize this flaw, but it was patched in November 2017.
The third vulnerability is the Dynamic Data Exchange (DDE) protocol. During this past year, attackers have succeeded in crafting macro-based malware to exploit this vulnerability to launch malicious droppers. While no patches have been released, Microsoft considers the DDE a product feature, not a vulnerability. As a precaution, however, Microsoft published practical advice on changing system settings in a registry file in order to safely disable the feature.
If these three vulnerabilities are used together, an attacker could collect passwords and cryptocurrency wallet data to launch denial-of-service attacks against the targeted systems. Enterprises and users alike should make sure these Microsoft vulnerabilities are fully patched to prevent any Zyklon malware infections.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Judith Myerson
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.