Delaware, USA – January 18, 2018 – Researchers from FireEye discovered spear phishing campaign that distributes Zyklon backdoor. The campaign targets telecommunications industry, as well as financial and insurance companies. Emails contain a zip archive with malicious MS Word document that exploits one of three known vulnerabilities in MS Office to deliver malware to the victim’s system. Zyklon is a full-featured backdoor that can steal sensitive information, conduct DDoS attacks and install additional modules on the infected system, including cryptocurrency miners. Communications with C&C server are carried out via Tor network.
In the delivery phase, adversaries exploit vulnerabilities CVE-2017-8759, CVE-2017-11882 and the infamous vulnerability in DDE protocol that allows them to run PowerShell scripts on a vulnerable system. To protect against this attack, you need to ensure that you have all the security updates installed, including the December update for Microsoft Office that disables DDE protocol in MS Word. You can also use SIEM use case DDE Exploitation Detector to uncover unauthorized run of PowerShell scripts due to abuse of DDE protocol, and DetectTor use case, which provides SIEM administrators with all information about detected connections to Tor network in your organization.