Q
Manage Learn to apply best practices and optimize your operations.

Zyklon malware: What Microsoft Office flaws does it exploit?

Zyklon malware targets three previously patched Microsoft Office vulnerabilities. Learn how attackers can access passwords and cryptocurrency wallet data with expert Judith Myerson.

A new malware called Zyklon manipulates three Microsoft Office vulnerabilities. How does Zyklon malware work, and...

what vulnerabilities does it exploit?

Zyklon malware lurks in a zip file containing up to three malicious Microsoft Office files.

The botnet malware comes to life when an innocent user accidentally opens a zipped file that is typically attached to a phishing email. The exploit executes a PowerShell script to download a final payload from an attacker's command-and-control server. From there, the attacker can collect passwords and cryptocurrency wallet data, enabling him to use them against the target enterprise systems.

The first vulnerability the Zyklon malware exploits is a bug in the .NET framework -- CVE-2017-8789 -- where a malicious document gives the attacker the ability to remotely install programs, change data and create privileged accounts. Clicking on or hovering over an embedded Object Linking and Embedding object automatically downloads a malicious .doc file from an URL in the background of the system. However, the .NET framework was patched by Microsoft in October 2017.

The second vulnerability is the memory corruption flaw in the Microsoft Equation Editor -- CVE-2017-11882. An attacker can take advantage of this flaw to execute arbitrary code. Because no user interaction is required after the user opens the Editor, it took 17 years for Microsoft to recognize this flaw, but it was patched in November 2017.

The third vulnerability is the Dynamic Data Exchange (DDE) protocol. During this past year, attackers have succeeded in crafting macro-based malware to exploit this vulnerability to launch malicious droppers. While no patches have been released, Microsoft considers the DDE a product feature, not a vulnerability. As a precaution, however, Microsoft published practical advice on changing system settings in a registry file in order to safely disable the feature.

If these three vulnerabilities are used together, an attacker could collect passwords and cryptocurrency wallet data to launch denial-of-service attacks against the targeted systems. Enterprises and users alike should make sure these Microsoft vulnerabilities are fully patched to prevent any Zyklon malware infections.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in March 2018

Dig Deeper on Microsoft Windows security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has this cryptocurrency wallet data attack impacted your organization?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close