Zyklon malware can do a lot of damage to your device
Cybercriminals deliver Zyklon HTTP malware through Microsoft Office. Our cybersecurity team discovered that the cybercriminals are using new vulnerabilities present in Microsoft Office. The Zyklon malware code can be found very easily on the internet because is free.
This malware has full backdoor and keylogging features, password gathering feature; plug-ins are supported like the crypto miner or password recovery all done by using download and install function, it can also be used for DDoS attacks and can be upgraded or deleted if the cybercriminals want to cover their traces.
This new type of Zyklon malware is deployed trough spam emails, emails that have a ZIP file attached containing an infected DOC file.
Multiple industries are affected by this malware:
• Financial Services
Sample lure docs
Vector of attack steps:
1. Email reach user’s inbox. The mail has a ZIP attachment that has the infected DOC file inside.
2. The DOC file exploits three or more vulnerabilities of Microsoft Office, using PowerShell command scripts.
3. The PowerShell script is, in fact, a download session that installs the malware from cybercriminals C&C server.
Zyklon attack methods
This is a new vulnerability used by the cybercriminals to embed an OLE Object inside the DOC file, and this OLE Object is the download that installs additional files from C&C Server.
This is another new vuln that downloads the malware from an URL stored inside in another OLE Object when the victim opens the DOC.
HTTP GET is used to download the next level payload
The following file downloaded after the initial open of the infected DOC file is a file named doc.doc that is, in fact, an XML which contains PowerShell scrips used to download another file named Pause.ps1.
Another method of downloading the same Pause.ps1 file using PowerShell script is through Dynamic Data Exchange (DDE) that is exploited for remote code execution.
Zyklon Delivery methods:
Pause.ps1 has the same address for download in all the ways used. Pause.ps1 is just another PowerShell script that is Base64 encoded. This is used to resolve APIs required for code injection, code that is also inside this file. The injected code is a downloader for the last piece of the malware that is a PE executable compiled with the Net framework: words.exe.
After execution, the file does the following activities:
1. Duplicates itself in %AppData%\svchost.exe\svchost.exe and drops an XML file, that contains configuration information for Task Scheduler
2. Unpacks the code in memory via process hollowing. The MSIL file includes the packed core payload in its. Net resource section.
3. The unpacked code is Zyklon.
XML configuration file to schedule the task
The Zyklon malware first retrieves the external IP address of the infected machine using the following:
The Zyklon also contains an encrypted file named tor which is a Tor anonymizer that is injected în InstallUtiil.exe then the attackers C&C Server is used to control Zyklon through Tor network.
Zyklon public RSA key
Requests system information
Requests settings from C2 server
Uploads harvested passwords
Uploads harvested cryptocurrency wallet data
Indicates SOCKS proxy port opened
Cryptocurrency miner commands
Reports errors to C2 server
DDoS attack commands
Zyklon accepted commands
Zyklon issuing “settings” command and subsequent server response
Zyklon issuing “sign” command and subsequent server response
Zyklon issuing “ddos” command and subsequent server response
Zyklon downloads number of plugins from its C2 server. The plugin URL is stored in file in following format:
The following plugins are found in the memory of the Zyklon malware:
The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.
The Zyklon malware offers the following additional features:
Browser Password Recovery
Zyklon HTTP can recover passwords from almost every web browser:
• Google Chrome
• Mozilla Firefox
• Internet Explorer
• Opera Browser
• Chrome Canary/SXS
• CoolNovo Browser
• Apple Safari
• Flock Browser
• SeaMonkey Browser
• SRWare Iron Browser
• Comodo Dragon Browser
FTP Password Recovery
Zyklon has FTP password recovery from the following FTP applications:
Gaming Software Key Recovery
Zyklon can recover PC Gaming software keys from the following games:
• Call of Duty
• Age of Empires
• The Sims
• Star Wars
Email Password Recovery
Zyklon can collect email passwords from following applications:
• Microsoft Outlook Express
• Microsoft Outlook 2002/XP/2003/2007/2010/2013
• Mozilla Thunderbird
• Windows Live Mail 2012
• IncrediMail, Foxmail v6.x – v7.x
• Windows Live Messenger
• MSN Messenger
• Google Talk
• Gmail Notifier
• PaltalkScene IM
• Pidgin (Formerly Gaim) Messenger
• Miranda Messenger
• Windows Credential Manager
License Key Recovery
The malware automatically identifies and decrypts the license/serial keys of more than 200 popular pieces of software like Office, SQL Server, Adobe, and Nero.
Zyklon can do a reverse Socks5 proxy server on infected host machines.
Hijack Clipboard Bitcoin Address
Zyklon can hijack the clipboard and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.
Our cybersecurity team identified different versions of Zyklon HTTP being offered for sell on markets inside DarkWeb:
• Normal build: $75 (USD)
• Tor-enabled build: $125 (USD)
• Rebuild/Updates: $15 (USD)
• Payment Method: Bitcoin (BTC)
Our cybersecurity analyst says that this is a masterpiece of a malware that takes advantage of many new vulnerabilities to accomplish multiple vicious tasks. This is the reason why every user should update their OSs and applications frequently updated.
Indicators of Compromise
accounts.doc – 76011037410d031aa41e5d381909f9ce
Courier.doc – 4bae7fb819761a7ac8326baf8d8eb6ab
doc.doc – eb5fa454ab42c8aec443ba8b8c97339b
Pause.ps1 – 886a4da306e019aa0ad3a03524b02a1c
words.exe – 04077ecbdc412d6d87fc21e4b3a4d088
Regular users are the most affected by malware this day because most of them do not care about what antivirus they have installed in their systems.
Users can download antivirus developed by our company directly by clicking the download banner from the end of the page.
Our free download antivirus can help users to protect their Mac or Windows devices against malware and adware.
We offer a free antivirus one day license to all our users who want to test the full power of our antivirus solution.
Our antivirus can detect a vast spectrum of threats, from dangerous malware to nasty browsers extensions used for mining the crypto-currency.
The antivirus our company is offered is a certified product of OPSWAT.
Most of the companies don't care about cybersecurity until they suffer a breach.
A healthy company must perform a penetration test from time to time. The penetration test must execute against all the assets of the company, including the workers who are the most vulnerable to the social engineering attacks.
A penetration test can be done either by a security specialist from inside of the company or by hiring an external cyber security company who can take care of everything.
Besides penetration test, a company must have a minimum healthy cybersecurity system installed like antivirus or firewall.
CyberByte company can perform various penetration tests on all the spectrum of PCI/DSS compliance to the red team, perimeter testing, and social engineering.
We also provide services to employee profiling and cyber threat monitoring, since most of the data breaches this day come from the inside of the company.
To check our penetration test services go to the Services tab from the main menu.
Windows users can download free antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your PC is infected. Windows free antivirus of CyberByte is an awarded software for malware detection.
Mac / MacOS / OS X users can download free Mac antivirus solution CyberByte by clicking the banner. The free antivirus will help you to know if your Mac is infected. MacOS / OS X free antivirus of CyberByte is an awarded software for malware detection. The free antivirus for Mac is available for new MacOS and older OS X versions.
Features of CyberByte™ antivirus:
- Protects you from all kind of threats
- CyberByte™ custom detection engine includes Mac and Windows malware protection and detection
- Fastest scanning times in the market
- Crypto Mining rogue extensions/malware detection
- Ransomware detection - don’t negotiate with ransomware cyber terrorists – keep your Mac and Windows safe
- Active live protection from background
- Certified Threat Detector by OPSWAT
- Easy to Install
- Easy to Manage
- Incredible value for money
Invisible, protecting you from behind the scenes - You will not feel it is installed on your computer, easy on the resources, like a protection software should be.
Original technology that combines behavioral heuristic analysis with powerful signatures database – the CyberByte™ Protection Engine delivers top of the line protection in an instant.
Fastest scanning times in the market – your time is precious, but also so is your digital life – CyberByte™ delivers fast scanning saving both time and your valuable data.
Don’t negotiate with ransomware cyber terrorists – keep your Mac safe and don’t ever end up paying for what is already yours.
Protect others as well – the CyberByte™ Protection Engine not only detects the threat but stops it from spreading to other Macs or Windows machines.
Don’t let strangers use your resources – more than 80% of the attacks are crypto mining driven. Are you sure your computer is not mining for crypto while you read this text?
Our malware protection will continuously look after your device providing the best security against viruses. Give us the chance to prove it by downloading the antivirus for your device.
CyberByte Antivirus is a certified product by OPSWAT (OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and that help organizations protect against
zero-day attacks by using multiple antivirus engine scanning and document sanitization.
To learn more about OPSWAT’s innovative and unique solutions, please visit http://www.opswat.com).
CyberByte Antivirus comes in two flavors:
MacOS Version - the free download Mac antivirus available on our website (https://mac.cyberbyte.org)
Windows Version - the free download Windows antivirus available on our website (https://pc.cyberbyte.org)
The procedure is simple:
Just free download antivirus from CyberByte website either for Mac or Windows.
Install it using the antivirus installer package.
Windows and Mac users will free malware scan their devices. The scan duration depends on how many files the end user has.
CyberByte antivirus will show if any files are infected after the scan is finished.