Zyklon malware campaign targets Office vulnerabilities

Zyklon malware campaign

Security researchers have spotted hackers exploiting Microsoft Office vulnerabilities CVE-2017-8759 and CVE-2017-11882 to spread Zyklon HTTP malware.

According to FireEye, Zyklon has been observed in the wild since early 2016. FireEye warns Zyklon provides a myriad of sophisticated capabilities, such as “full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.”

The recent wave of attacks are using spam email and ZIP attachments (with malicious docs) to target Telecommunications, Insurance and Financial Services industries. 

Two of the Office vulnerabilities being exploited include CVE-2017-8759 (discovered as a zero-day back in September 2017) and CVE-2017-11882 (exploited by APT34 group back in December).

Update (January 20, 2020): In a recent article, both of these vulnerabilities are listed in the “Top 20 vulnerabilities to patch now” that are most under attack.