Businesses are being urged to ensure Microsoft Office patches are up to date as known vulnerabilities are being used to spread the powerful Zyklon malware.
The malware, which has been in use since 2016, is designed to launch distributed denial of service (DDoS) attacks, log keystrokes, steal passwords and mine cryptocurrency.
Zyklon is also capable of executing additional plugins, has functionality to update and remove itself, and may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so.
The malware “automatically detects and decrypts the licence/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero”, and enables attackers to hijack bitcoin address clipboards to replace a user’s address with an address controlled by the cyber criminals.
One of the latest Zyklon campaigns is being delivered through spam emails, which typically arrive with an attached .zip file containing a malicious .doc file, according to researchers at FireEye.
The main industries targeted by this campaign are telecommunications, insurance and financial services, but the researchers warned that organisations in all sectors should be on alert. “It is highly likely that the threat actors will eventually move outside the scope of their current targeting,” they said in a blog post.
The malicious .doc file exploits at least three known vulnerabilities in Microsoft Office, and upon execution in a vulnerable environment the PowerShell-based payload takes over. The PowerShell script is responsible for downloading the final payload from a C2 server to execute it, the researchers said.
“These types of threats show why it is very important to ensure that all software is fully updated,” the FireEye researchers said.
According to Michael Patterson, CEO of security incident response firm Plixer, this type of malware infection supports the urgency to keep systems patched with automated updates.
“Although a system might be protected against Zyklon, variants of malware are constantly being released in a zero-day fashion, which can lead to costly clean-ups,” he said.
As a proactive measure, Patterson said companies with Microsoft products deployed should be collecting network traffic flows from all routers and virtual servers to perform network traffic analysis in the event of a breach.
“Detecting and locating the source of the breach event quickly is of paramount importance. For example, Tor traffic, which is unusual on a network, can easily be found and stopped by looking at the traffic flow. Using traffic analytics and adding context can lead to faster remediation and go a long way towards helping keep a company safe,” he said.
Failure to keep software patches up to date exposes organisations to threats unnecessarily, but a recent study by security firm AlienVault showed that some vulnerabilities go unpatched for several years.
For example, CVE-2010-2568 was ranked as the third most referenced vulnerability by suppliers in AlienVault’s Open Threat Exchange (OTX) platform in 2017, and yet the remote code execution vulnerability in the Windows common controls was patched by Microsoft in 2012.
Sean Newman, director at Corero Network Security said the fact that attackers are using vulnerabilities in Microsoft Office products to install malware, which can be remotely controlled to deliver those attacks, will not be a surprise to many people.
“However, the flexibility and attack scale possible from such an army of compromised devices should be a significant concern,” he said, especially in the light of the possibilities for cryptocurrency abuse or the ability to generate large-scale DDoS attacks.
“These capabilties have significant revenue-generating potential for the cyber criminals, at the expense of those trying to benefit from the broad opportunities the internet affords,” said Newman.
“Ensuring your software is patched can help to keep you safe from attacks on your data or cryptocurrency, but the only way to ensure you are safe from external DDoS attacks generated by this malware is to ensure you have the latest real-time protection in place,” he said.