New Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware that Creating Backdoor !

New Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware that Creating Backdoor !

In Past Days,patched critical Microsoft office vulnerabilities are used for distributing powerful Zyklon Malware that has some sophisticated functionalities such as creating a backdoor in victims machine.

Zyklon Malware has widely spread across the world since 2016 and its mainly targeting Telecommunications, Insurance, Financial Services.

Zyklon Malware Http being advertised in a popular underground marketplace with following Prices.

Normal build: $75 (USD)
Tor-enabled build: $125 (USD)
Rebuild/Updates: $15 (USD)
Payment Method: Bitcoin (BTC)
This malware downloads several plugins in a browser that will be later performing cryptocurrency mining and password recovery.

A Backdoor that creates by Zyklon Malware has capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.

How does Microsoft Office Vulnerabilities Exploited
Zyklon malware initially delivering through malicious spam emails that contain attached Zip file that has embedded malicious DOC file.

Once victims click the email, malware exploits 3 known Microsoft office vulnerabilities and PowerShell payload takes over the victims computer.
Later PowerShell script will communicate with Command & Control server and download the final payload and execute it in a victims machine.

All these vulnerabilities are using same domain is used to download the next level payload using another PowerShell script and it is responsible for resolving the APIs required for code injection.
It also contains the injectable shellcode. The APIs contain VirtualAlloc(), memset(), and CreateThread(). Figure 9 shows the decoded Base64 code.

The malware may communicate with its command and control (C2) server over The Onion Router (Tor) network and the malware sends a POST request to the C2 server.

This Malware performing additional capabilities such as  Browser Password Recovery, FTP Password Recovery, Gaming Software Key Recovery, Email Password Recovery, License Key Recovery.