Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign

Introduction

FireEye researchers recently observed threat actors leveraging
relatively new vulnerabilities in Microsoft Office to spread Zyklon
HTTP malware. Zyklon has been observed in the wild since early 2016
and provides myriad sophisticated capabilities.

Zyklon is a publicly available, full-featured backdoor capable of
keylogging, password harvesting, downloading and executing additional
plugins, conducting distributed denial-of-service (DDoS) attacks, and
self-updating and self-removal. The malware may communicate with its
command and control (C2) server over The Onion Router (Tor) network if
configured to do so. The malware can download several plugins, some of
which include features such as cryptocurrency mining and password
recovery, from browsers and email software. Zyklon also provides a
very efficient mechanism to monitor the spread and impact.

Infection Vector

We have observed this recent wave of Zyklon malware being delivered
primarily through spam emails. The email typically arrives with an
attached ZIP file containing a malicious DOC file (Figure 1 shows a
sample lure).

The following industries have been the primary targets in this campaign:

  • Telecommunications
  • Insurance
  • Financial Services



Figure 1: Sample lure documents

Attack Flow

  1. Spam email arrives in the
    victim’s mailbox as a ZIP attachment, which contains a malicious DOC
    file.
  2. The document files exploit at least three known
    vulnerabilities in Microsoft Office, which we discuss in the
    Infection Techniques section. Upon execution in a vulnerable
    environment, the PowerShell based payload takes over.
  3. The
    PowerShell script is responsible for downloading the final payload
    from C2 server to execute it.

A visual representation of the attack flow and execution chain can
be seen in Figure 2.



Figure 2: Zyklon attack flow

Infection Techniques

CVE-2017-8759

This vulnerability was discovered
by FireEye
in September 2017, and it is a vulnerability we have
observed being exploited in the wild.

The DOC file contains an embedded OLE Object that, upon execution,
triggers the download of an additional DOC file from the stored URL
(seen in Figure 3).



Figure 3: Embedded URL in OLE object

CVE-2017-11882

Similarly, we have also observed actors leveraging another
recently discovered
vulnerability (CVE-2017-11882) in Microsoft Office. Upon opening the
malicious DOC attachment, an additional download is triggered from a
stored URL within an embedded OLE Object (seen in Figure 4).



Figure 4: Embedded URL in OLE object



Figure 5: HTTP GET request to download
the next level payload

The downloaded file, doc.doc, is XML-based and contains a
PowerShell command (shown in Figure 6) that subsequently downloads the
binary Pause.ps1.



Figure 6: PowerShell command to download
the Pause.ps1 payload

Dynamic Data Exchange (DDE)

Dynamic Data Exchange (DDE) is the interprocess communication
mechanism that is exploited to perform remote code execution. With the
help of a PowerShell script (shown in Figure 7), the next payload
(Pause.ps1) is downloaded.



Figure 7: DDE technique used to download
the Pause.ps1 payload

One of the unique approaches we have observed is the use of dot-less
IP addresses (example: hxxp://258476380).

Figure 8 shows the network communication of the Pause.ps1 download.



Figure 8: Network communication to
download the Pause.ps1 payload

Zyklon Delivery

In all these techniques, the same domain is used to download the
next level payload (Pause.ps1), which is another PowerShell
script that is Base64 encoded (as seen in Figure 8).

The Pause.ps1 script is responsible for resolving the APIs
required for code injection. It also contains the injectable
shellcode. The APIs contain VirtualAlloc(), memset(), and
CreateThread(). Figure 9 shows the decoded Base64 code.



Figure 9: Base64 decoded Pause.ps1

The injected code is responsible for downloading the final payload
from the server (see Figure 10). The final stage payload is a PE
executable compiled with .Net framework.



Figure 10: Network traffic to download
final payload (words.exe)

Once executed, the file performs the following activities:

  1. Drops a copy of itself in
    %AppData%\svchost.exe\svchost.exe and drops an XML file, which
    contains configuration information for Task Scheduler (as shown in
    Figure 11).
  2. Unpacks the code in memory via process
    hollowing. The MSIL file contains the packed core payload in its
    .Net resource section.
  3. The unpacked code is Zyklon.



Figure 11: XML configuration file to
schedule the task

The Zyklon malware first retrieves the external IP address of the
infected machine using the following:

  • api.ipify[.]org
  • ip.anysrc[.]net
  • myexternalip[.]com
  • whatsmyip[.]com

The Zyklon executable contains another encrypted file in its .Net
resource section named tor. This file is decrypted and injected
into an instance of InstallUtiil.exe, and functions as a Tor anonymizer.

Command & Control Communication

The C2 communication of Zyklon is proxied through the Tor network.
The malware sends a POST request to the C2 server. The C2 server is
appended by the gate.php, which is stored in file memory. The
parameter passed to this request is getkey=y. In response to this
request, the C2 server responds with a Base64-encoded RSA public key
(seen in Figure 12).



Figure 12: Zyklon public RSA key

After the connection is established with the C2 server, the malware
can communicate with its control server using the commands shown in
Table 1.

Command

Action

sign

Requests system information

settings

Requests settings from C2 server

logs

Uploads harvested passwords

wallet

Uploads harvested cryptocurrency wallet
data

proxy

Indicates SOCKS proxy port opened

miner

Cryptocurrency miner commands

error

Reports errors to C2 server

ddos

DDoS attack commands

Table 1: Zyklon accepted commands

The following figures show the initial request and subsequent server
response for the “settings” (Figure 13), “sign” (Figure 14), and
“ddos” (Figure 15) commands.



Figure 13: Zyklon issuing “settings”
command and subsequent server response



Figure 14: Zyklon issuing “sign” command
and subsequent server response



Figure 15: Zyklon issuing “ddos” command
and subsequent server response

Plugin Manager

Zyklon downloads number of plugins from its C2 server. The plugin
URL is stored in file in following format:

  • /plugin/index.php?plugin=<Plugin_Name>

The following plugins are found in the memory of the Zyklon malware:

  • /plugin/index.php?plugin=cuda
  • /plugin/index.php?plugin=minerd
  • /plugin/index.php?plugin=sgminer
  • /plugin/index.php?plugin=socks
  • /plugin/index.php?plugin=tor
  • /plugin/index.php?plugin=games
  • /plugin/index.php?plugin=software
  • /plugin/index.php?plugin=ftp
  • /plugin/index.php?plugin=email
  • /plugin/index.php?plugin=browser

The downloaded plugins are injected into: Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe.

Additional Features

The Zyklon malware offers the following additional capabilities (via plugins):

Browser Password Recovery

Zyklon HTTP can recover passwords from popular web browsers, including:

  • Google Chrome
  • Mozilla Firefox
  • Internet Explorer
  • Opera
    Browser
  • Chrome Canary/SXS
  • CoolNovo Browser
  • Apple Safari
  • Flock Browser
  • SeaMonkey
    Browser
  • SRWare Iron Browser
  • Comodo Dragon
    Browser
FTP Password Recovery

Zyklon currently supports FTP password recovery from the following
FTP applications:

  • FileZilla
  • SmartFTP
  • FlashFXP
  • FTPCommander
  • Dreamweaver
  • WS_FTP
Gaming Software Key Recovery

Zyklon can recover PC Gaming software keys from the following games:

  • Battlefield
  • Call
    of Duty
  • FIFA
  • NFS
  • Age of Empires
  • Quake
  • The Sims
  • Half-Life
  • IGI
  • Star Wars
Email Password Recovery

Zyklon may also collect email passwords from following applications:

  • Microsoft Outlook
    Express
  • Microsoft Outlook 2002/XP/2003/2007/2010/2013
  • Mozilla Thunderbird
  • Windows Live Mail 2012
  • IncrediMail, Foxmail v6.x – v7.x
  • Windows Live
    Messenger
  • MSN Messenger
  • Google Talk
  • GMail
    Notifier
  • PaltalkScene IM
  • Pidgin (Formerly Gaim)
    Messenger
  • Miranda Messenger
  • Windows Credential
    Manager
License Key Recovery

The malware automatically detects and decrypts the license/serial
keys of more than 200 popular pieces of software, including Office,
SQL Server, Adobe, and Nero.

Socks5 Proxy

Zyklon features the ability to establish a reverse Socks5 proxy
server on infected host machines.

Hijack Clipboard Bitcoin Address

Zyklon has the ability to hijack the clipboard, and replaces the
user’s copied bitcoin address with an address served up by the actor’s
control server.

Zyklon Pricing

Researchers identified different versions of Zyklon HTTP being
advertised in a popular underground marketplace for the following prices:

  • Normal build: $75
    (USD)
  • Tor-enabled build: $125 (USD)
  • Rebuild/Updates:
    $15 (USD)
  • Payment Method: Bitcoin (BTC)

Conclusion

Threat actors incorporating recently discovered vulnerabilities in
popular software – Microsoft Office, in this case – only increases the
potential for successful infections. These types of threats show why
it is very important to ensure that all software is fully updated.
Additionally, all industries should be on alert, as it is highly
likely that the threat actors will eventually move outside the scope
of their current targeting.

At this time of writing, FireEye Multi Vector Execution (MVX)
engine
 is able to recognize and block this threat. Table 2 lists
the current detection and blocking capabilities by product.

Detection Name

Product

Action

POWERSHELL DOWNLOADER D (METHODOLOGY)

HX

Detect

SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)

HX

Detect

POWERSHELL DOWNLOADER (METHODOLOGY)

HX

Detect

SUSPICIOUS EQNEDT USAGE (METHODOLOGY)

HX

Detect

TOR (TUNNELER)

HX

Detect

SUSPICIOUS SVCHOST.EXE (METHODOLOGY)

HX

Detect

Malware.Binary.rtf

EX/ETP/NX

Block

Malware.Binary

EX/ETP/NX

Block

FE_Exploit_RTF_CVE_2017_8759

EX/ETP/NX

Block

FE_Exploit_RTF_CVE201711882_1

EX/ETP/NX

Block

Table 2: Current detection capabilities by
FireEye products

Indicators of Compromise

The contained analysis is based on the representative sample lures
shown in Table 3.

MD5

Name

76011037410d031aa41e5d381909f9ce

accounts.doc

4bae7fb819761a7ac8326baf8d8eb6ab

Courrier.doc

eb5fa454ab42c8aec443ba8b8c97339b

doc.doc

886a4da306e019aa0ad3a03524b02a1c

Pause.ps1

04077ecbdc412d6d87fc21e4b3a4d088

words.exe

Table 3: Sample Zyklon lures

Network Indicators
  • 154.16.93.182
  • 85.214.136.179
  • 178.254.21.218
  • 159.203.42.107
  • 217.12.223.216
  • 138.201.143.186
  • 216.244.85.211
  • 51.15.78.0
  • 213.251.226.175
  • 93.95.100.202
  • warnono.punkdns.top


*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html