Zyklon Malware Abuses Microsoft Office Flaws

It is very often that users are aware of the potential security threats they might face if they do not update their software. Zyklon Malware is one of those malicious infections that are very good at exploiting software vulnerabilities. Recently, researchers at FireEye have reported that this malware makes use of three security vulnerabilities in the Microsoft Office software to infect multiple computers worldwide. In this article, we will discuss the three vulnerabilities in question, the malware itself, and the implications that this infection brings to table. Needless to say, caution is important now more than ever.

As far as Zyklon Malware is concerned, security experts have first discovered in the early 2016. This infection is a backdoor Trojan that can be used to promote other malware and steal important information. Its behavioral patterns depend a lot on what the hackers behind its command and control (C2) center may want it to do. As far as the research shows, Zyklon is able to log keystrokes, harvest passwords, download and execute malicious plugins, and even carry out DDoS (distributed denial of service) attacks.

Therefore, it is hard to say what the affected users can expect from this infection. The bottom line is that it can easily turn the infected computer into a zombie used for various cyber attacks. For instance, we do know for sure, that some of the downloaded plugins can, later on, be used to mine cryptocurrency. If that happens, users will soon notice that their computer performance slows down, and eventually, it will be impossible to operate the system.

Another frustrating thing about Zyklon Malware is that this program is available in public. Of course, one cannot get the malware for free, but the pricing may differ based on what features this program has. It is clear, however, that the attacks staged by this malware leverage Tor for communication. Tor is an open source browser often used by cyber criminals to access darknet because it allows users communication anonymously. According to researchers, the Zyklon Malware package that allows its user to communicate via Tor costs $125, as opposed to the regular $75 price for a malware package with the communication features.

Now, once you have this malware program in your possession, you have to spread it somehow. Research shows that Zyklon malware usually spreads via spam email messages. This is probably one of the most common malware distribution methods out there because it is the cheapest way to put your program in the wild. Zyklon comes in a zipped file attachment, and the infection file usually looks like a Microsoft Word document file. What’s more, the email message that carries the malicious installer may look like a notification from reputable industries. The criminals go to such lengths to make a good impression because, for the most part, the main targets of this scam are universities and companies in the financial services, insurance, and telecommunications. Once the malicious installer reaches the target system, this is where the Microsoft Office exploit comes into the picture.

There are three vulnerabilities that Zyklon Malware uses to infect the target computer with a malicious payload. The point is that not all systems that use Microsoft Office products may be vulnerable to this exploitation. As long as the software is updated to its latest version, it might be harder for the infection to exploit it. However, if one opens the infection file in a vulnerable environment, then the infection loads a PowerShell script that connects to its C2 server and downloads the main payload. Depending on the payload, the malware might engage in any of the previously mentioned activities.

We can also take a closer look at these vulnerabilities. According to the research reports, the first vulnerability is the so-called .NET framework bug (CVE-2017-8759). When Zyklon makes use of this vulnerability, it enables the criminals to download and install more programs, create new privileged accounts on the system, and manipulate data. Luckily, the patch for this vulnerability was released in October 2017, so users must make sure they update their Microsoft Office pack immediately.

The second vulnerability was found to be a 17-year-old bug (CVE-2017-11882), which persisted up until November 2017, when Microsoft released a patch for it. The vulnerability used to be found in Microsoft Equation Editor. On the vulnerable systems that still have it, the moment users open the malicious installer file, it exploits the bug to download additional DOC file that comes with a PowerShell code. The moment this code is executed, Zyklon downloads the main payload from its command and control center.

Finally, the third vulnerability is somewhat controversial because Microsoft does not consider it to be a bug. It is the Dynamic Data Exchange feature that is ought to be part of the product. As a result, there is no patch that would “fix” it, but in November 2017, Microsoft released new guidelines for administrators. Using those guidelines, the administrators can disable the Dynamic Data Exchange feature via Registry Editor. The main problem with the Dynamic Data Exchange feature is that when it gets exploited by macro-based malware, it enables the malicious applications to launch droppers, exploits, and other dangerous programs.

Everything we have discussed above shows how important it is to maintain your system’s security. It is rather worrying that this infection targets mainly big corporations as opposed to individual computers. To avoid Zyklon Malware, one has to be sure to monitor their emails. Whether the monitoring happens at the employee or management level, it is necessary to recognize when you could get involved in a phishing scam or a social engineering scheme.

Also, updating your software is probably one of the most efficient ways to prevent a number of malicious infections from entering your system. It would be for the best to keep the automatic update feature on so that you would not need to worry about that regularly. Finally, staying vigilant would also help you protect your system from malicious exploitation. If you think that you or your employees may need more training in recognizing potential security threats, you can always address professionals who would gladly enlighten you on the issue.


  1. Pedro Hernandez. Multifaceted Zyklon Malware Targets Microsoft Office Vulnerabilities. eWeek.
  2. Mohit Kumar. Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware. The Hacker News.
  3. Johsua Morales. Zyklon Malware Campaign Exploited Microsoft Office. IT Security Central. Teramind.
  4. Swapnil Patil, Yogesh Londhe. Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign. FireEye.
  5. Hemant Saxena. Zyklon malware chooses Microsoft Office as a Vector for compromising Windows Systems. TWCN.
  6. Tom Spring. Attackers use Microsoft Office vulnerabilities to spread Zyklon malware. Threat Post.