Zyklon malware: What Microsoft Office flaws does it exploit?

Zyklon malware targets three previously patched Microsoft Office vulnerabilities. Learn how attackers can access passwords and cryptocurrency wallet data with expert Judith Myerson.

A new malware called Zyklon manipulates three Microsoft Office vulnerabilities. How does Zyklon malware work, and what vulnerabilities does it exploit?

Zyklon malware lurks in a zip file containing up to three malicious Microsoft Office files.

The botnet malware comes to life when an innocent user accidentally opens a zipped file that is typically attached to a phishing email. The exploit executes a PowerShell script to download a final payload from an attacker's command-and-control server. From there, the attacker can collect passwords and cryptocurrency wallet data, enabling him to use them against the target enterprise systems.

The first vulnerability the Zyklon malware exploits is a bug in the .NET framework -- CVE-2017-8789 -- where a malicious document gives the attacker the ability to remotely install programs, change data and create privileged accounts. Clicking on or hovering over an embedded Object Linking and Embedding object automatically downloads a malicious .doc file from an URL in the background of the system. However, the .NET framework was patched by Microsoft in October 2017.

The second vulnerability is the memory corruption flaw in the Microsoft Equation Editor -- CVE-2017-11882. An attacker can take advantage of this flaw to execute arbitrary code. Because no user interaction is required after the user opens the Editor, it took 17 years for Microsoft to recognize this flaw, but it was patched in November 2017.

The third vulnerability is the dynamic data exchange (DDE) protocol. During this past year, attackers have succeeded in crafting macro-based malware to exploit this vulnerability to launch malicious droppers. While no patches have been released, Microsoft considers the DDE a product feature, not a vulnerability. As a precaution, however, Microsoft published practical advice on changing system settings in a registry file in order to safely disable the feature.

If these three vulnerabilities are used together, an attacker could collect passwords and cryptocurrency wallet data to launch denial-of-service attacks against the targeted systems. Enterprises and users alike should make sure these Microsoft vulnerabilities are fully patched to prevent any Zyklon malware infections.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing