The Resurgence of Zyklon – The Swiss Army Knife of Malware


Trevor Reschke Head of Threat Intelligence

Researchers from FireEye recently reported the reappearance of a strain of malware first seen in 2016. Zyklon is a multi-faceted piece of malware that can be used by its handlers for password gathering and keylogging, as well as drawing victims’ systems into a botnet to launch DDoS attacks and cryptocurrency mining. The sophisticated piece of kit is delivered by spam emails containing a malicious .doc file and takes advantage of known vulnerabilities in Microsoft Office. Once executed, a PowerShell-based payload takes over the system and downloads the final payload from a Command and Control (C2) server to finish the job.


With malware like this, anyone using Microsoft Office is a potential target, although FireEye has noted that the prime targets of Zyklon’s campaign are financial services businesses, insurance firms and telecom companies. In reality, the targets are going to depend on who’s running the crimeware. While these attacks could be highly targeted through social engineering, for the most part it’s likely the malware is just out there grabbing as much information as it can. The group running it can then take anything they want – like particular bank account details or email accounts – and then sell off the rest to a broker.


Most criminal groups are looking for a quick payday and by exploiting a vulnerability in software as widely used as Microsoft Office, they’re in with a good chance – even now that a patch is available. After all, how many of us reflexively hit ‘remind me later’ on our software update notifications?


Detect malware in the hidden depths

This pretty flexible piece of banking malware can be bought for as little as $75 on underground marketplaces but, interestingly, those looking for a Tor-enabled version can pay a premium ($125) to mask its communication using the network’s hidden service protocol. While it’s not yet a common approach, cyber criminals are increasingly realizing that taking advantage of Tor to hide communications can allow them critical extra time before their C2 servers are taken offline.


Masking C2 communications is nothing new but, by taking advantage of Tor, exfiltration monitoring becomes more of a challenge than it already was. Unless you’re going to completely lock down all external connections, which isn’t a realistic option in most environments, the only viable answer has been a combination of expensive security solutions. Even with those tools in place, criminals executing this particular piece of malware could still use its keylogging or password hoarding functionality to log in to social media or email accounts and transfer data that way.


Prevent malware attacks

Zyklon is an example of the incredibly sophisticated and multi-faceted malware we’re facing now. The tools we’ve relied on for years to detect and remove crimeware can no longer do the job effectively so, while they still have their place as part of a layered approach to security, we need to look at other solutions that better protect both businesses and end-users.


The answer lies in the ability to stop malware from getting what it wants – information. Instead of the prevention and remediation strategies that were popular (and effective) in the past, the answer is simply to stop it from exfiltrating any information at all, or at least making any data it accesses completely illegible. The only reliable way to do this is to implement an approach that secures the full transaction stack. In the past this was far easier to say than do, but modern, cloud-based security solutions are now making it relatively simple.