# Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign **[fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html](https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html)** **Introduction** FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities. Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-ofservice (DDoS) attacks, and self-updating and self-removal. The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network if configured to do so. The malware can download several plugins, some of which include features such as cryptocurrency mining and password recovery, from browsers and email software. Zyklon also provides a very efficient mechanism to monitor the spread and impact. **Infection Vector** We have observed this recent wave of Zyklon malware being delivered primarily through spam emails. The email typically arrives with an attached ZIP file containing a malicious DOC file (Figure 1 shows a sample lure) ----- The following industries have been the primary targets in this campaign: Telecommunications Insurance Financial Services Figure 1: Sample lure documents **Attack Flow** 1. Spam email arrives in the victim’s mailbox as a ZIP attachment, which contains a malicious DOC file. 2. The document files exploit at least three known vulnerabilities in Microsoft Office, which we discuss in the Infection Techniques section. Upon execution in a vulnerable environment, the PowerShell based payload takes over. 3. The PowerShell script is responsible for downloading the final payload from C2 server to execute it. A visual representation of the attack flow and execution chain can be seen in Figure 2. ----- Figure 2: Zyklon attack flow **Infection Techniques** CVE-2017-8759 [This vulnerability was discovered by FireEye in September 2017, and it is a vulnerability we](https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html) have observed being exploited in the wild. The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3). Figure 3: Embedded URL in OLE object CVE-2017-11882 [Similarly, we have also observed actors leveraging another recently discovered vulnerability](https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html) (CVE-2017-11882) in Microsoft Office. Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4). ----- Figure 4: Embedded URL in OLE object Figure 5: HTTP GET request to download the next level payload The downloaded file, doc.doc, is XML-based and contains a PowerShell command (shown in Figure 6) that subsequently downloads the binary Pause.ps1. Figure 6: PowerShell command to download the Pause.ps1 payload Dynamic Data Exchange (DDE) Dynamic Data Exchange (DDE) is the interprocess communication mechanism that is exploited to perform remote code execution. With the help of a PowerShell script (shown in Figure 7), the next payload (Pause.ps1) is downloaded. Figure 7: DDE technique used to download the Pause.ps1 payload One of the unique approaches we have observed is the use of dot-less IP addresses (example: hxxp://258476380). Figure 8 shows the network communication of the Pause.ps1 download. ----- Figure 8: Network communication to download the Pause.ps1 payload **Zyklon Delivery** In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded (as seen in Figure 8). The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code. Figure 9: Base64 decoded Pause.ps1 ----- The injected code is responsible for downloading the final payload from the server (see Figure 10). The final stage payload is a PE executable compiled with .Net framework. Figure 10: Network traffic to download final payload (words.exe) Once executed, the file performs the following activities: 1. Drops a copy of itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11). 2. Unpacks the code in memory via process hollowing. The MSIL file contains the packed core payload in its .Net resource section. 3. The unpacked code is Zyklon. ----- Figure 11: XML configuration file to schedule the task The Zyklon malware first retrieves the external IP address of the infected machine using the following: api.ipify[.]org ip.anysrc[.]net myexternalip[.]com whatsmyip[.]com ----- The Zyklon executable contains another encrypted file in its .Net resource section named tor. This file is decrypted and injected into an instance of InstallUtiil.exe, and functions as a Tor anonymizer. **Command & Control Communication** The C2 communication of Zyklon is proxied through the Tor network. The malware sends a POST request to the C2 server. The C2 server is appended by the gate.php, which is stored in file memory. The parameter passed to this request is getkey=y. In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12). Figure 12: Zyklon public RSA key After the connection is established with the C2 server, the malware can communicate with its control server using the commands shown in Table 1. Command Action sign Requests system information settings Requests settings from C2 server logs Uploads harvested passwords wallet Uploads harvested cryptocurrency wallet data proxy Indicates SOCKS proxy port opened ----- miner Cryptocurrency miner commands error Reports errors to C2 server ddos DDoS attack commands Table 1: Zyklon accepted commands The following figures show the initial request and subsequent server response for the “settings” (Figure 13), “sign” (Figure 14), and “ddos” (Figure 15) commands. Figure 13: Zyklon issuing “settings” command and subsequent server response ----- Figure 14: Zyklon issuing “sign” command and subsequent server response Figure 15: Zyklon issuing “ddos” command and subsequent server response **Plugin Manager** Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format: /plugin/index.php?plugin= The following plugins are found in the memory of the Zyklon malware: /plugin/index.php?plugin=cuda /plugin/index.php?plugin=minerd ----- /plugin/index.php?plugin=sgminer /plugin/index.php?plugin=socks /plugin/index.php?plugin=tor /plugin/index.php?plugin=games /plugin/index.php?plugin=software /plugin/index.php?plugin=ftp /plugin/index.php?plugin=email /plugin/index.php?plugin=browser The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe. **Additional Features** The Zyklon malware offers the following additional capabilities (via plugins): Browser Password Recovery Zyklon HTTP can recover passwords from popular web browsers, including: Google Chrome Mozilla Firefox Internet Explorer Opera Browser Chrome Canary/SXS CoolNovo Browser Apple Safari Flock Browser SeaMonkey Browser SRWare Iron Browser Comodo Dragon Browser FTP Password Recovery Zyklon currently supports FTP password recovery from the following FTP applications: FileZilla SmartFTP FlashFXP FTPCommander Dreamweaver WS_FTP Gaming Software Key Recovery Zyklon can recover PC Gaming software keys from the following games: Battlefield ----- Call of Duty FIFA NFS Age of Empires Quake The Sims Half-Life IGI Star Wars Email Password Recovery Zyklon may also collect email passwords from following applications: Microsoft Outlook Express Microsoft Outlook 2002/XP/2003/2007/2010/2013 Mozilla Thunderbird Windows Live Mail 2012 IncrediMail, Foxmail v6.x - v7.x Windows Live Messenger MSN Messenger Google Talk GMail Notifier PaltalkScene IM Pidgin (Formerly Gaim) Messenger Miranda Messenger Windows Credential Manager License Key Recovery The malware automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero. Socks5 Proxy Zyklon features the ability to establish a reverse Socks5 proxy server on infected host machines. Hijack Clipboard Bitcoin Address Zyklon has the ability to hijack the clipboard, and replaces the user’s copied bitcoin address with an address served up by the actor’s control server. **Zyklon Pricing** Researchers identified different versions of Zyklon HTTP being advertised in a popular underground marketplace for the following prices: ----- Normal build: $75 (USD) Tor-enabled build: $125 (USD) Rebuild/Updates: $15 (USD) Payment Method: Bitcoin (BTC) **Conclusion** Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting. At this time of writing, FireEye [Multi Vector Execution (MVX) engine is able to recognize and](https://www.fireeye.com/) block this threat. Table 2 lists the current detection and blocking capabilities by product. Detection Name Product Action POWERSHELL DOWNLOADER D (METHODOLOGY) HX Detect SUSPICIOUS POWERSHELL USAGE (METHODOLOGY) HX Detect POWERSHELL DOWNLOADER (METHODOLOGY) HX Detect SUSPICIOUS EQNEDT USAGE (METHODOLOGY) HX Detect TOR (TUNNELER) HX Detect SUSPICIOUS SVCHOST.EXE (METHODOLOGY) HX Detect Malware.Binary.rtf EX/ETP/NX Block Malware.Binary EX/ETP/NX Block FE_Exploit_RTF_CVE_2017_8759 EX/ETP/NX Block FE_Exploit_RTF_CVE201711882_1 EX/ETP/NX Block Table 2: Current detection capabilities by FireEye products ----- **Indicators of Compromise** The contained analysis is based on the representative sample lures shown in Table 3. MD5 Name 76011037410d031aa41e5d381909f9ce accounts.doc 4bae7fb819761a7ac8326baf8d8eb6ab Courrier.doc eb5fa454ab42c8aec443ba8b8c97339b doc.doc 886a4da306e019aa0ad3a03524b02a1c Pause.ps1 04077ecbdc412d6d87fc21e4b3a4d088 words.exe Table 3: Sample Zyklon lures Network Indicators 154.16.93.182 85.214.136.179 178.254.21.218 159.203.42.107 217.12.223.216 138.201.143.186 216.244.85.211 51.15.78.0 213.251.226.175 93.95.100.202 warnono.punkdns.top -----