A new malware called Zyklon manipulates three Microsoft Office vulnerabilities. How does Zyklon malware work, and...
what vulnerabilities does it exploit?
Zyklon malware lurks in a zip file containing up to three malicious Microsoft Office files.
The botnet malware comes to life when an innocent user accidentally opens a zipped file that is typically attached to a phishing email. The exploit executes a PowerShell script to download a final payload from an attacker's command-and-control server. From there, the attacker can collect passwords and cryptocurrency wallet data, enabling him to use them against the target enterprise systems.
The first vulnerability the Zyklon malware exploits is a bug in the .NET framework -- CVE-2017-8789 -- where a malicious document gives the attacker the ability to remotely install programs, change data and create privileged accounts. Clicking on or hovering over an embedded Object Linking and Embedding object automatically downloads a malicious .doc file from an URL in the background of the system. However, the .NET framework was patched by Microsoft in October 2017.
The second vulnerability is the memory corruption flaw in the Microsoft Equation Editor -- CVE-2017-11882. An attacker can take advantage of this flaw to execute arbitrary code. Because no user interaction is required after the user opens the Editor, it took 17 years for Microsoft to recognize this flaw, but it was patched in November 2017.
The third vulnerability is the Dynamic Data Exchange (DDE) protocol. During this past year, attackers have succeeded in crafting macro-based malware to exploit this vulnerability to launch malicious droppers. While no patches have been released, Microsoft considers the DDE a product feature, not a vulnerability. As a precaution, however, Microsoft published practical advice on changing system settings in a registry file in order to safely disable the feature.
If these three vulnerabilities are used together, an attacker could collect passwords and cryptocurrency wallet data to launch denial-of-service attacks against the targeted systems. Enterprises and users alike should make sure these Microsoft vulnerabilities are fully patched to prevent any Zyklon malware infections.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Judith Myerson
GE reported an improper authentication flaw in its PulseNet network management software for critical infrastructures. Discover how this flaw works ... Continue Reading
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it ... Continue Reading
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.