For the past few weeks, there has been an increase in malspam delivering Zyklon malware. Zyklon is available for sale on the Darknet and is capable of launching various types of DDoS attacks, data theft and fraud [1] [2]. In this threat advisory, we will shed some light on its delivery mechanism.
Let’s take this delivery document from June 21, 2017 [3] seen in the wild as Sean-Resume.doc. An attacker can easily trick a victim into running the embedded malicious macro.
Upon running the macro launches a powershell script to download and run the malware. Here is the process tree:
Here is the download session from NetWitness Packets and Logs:
The checksum of the downloaded executable can be obtained using the “View Files” option:
Analysis results on VirusTotal suggest it is a Zyklon variant [4].
The malicious network behavior is easily detected using NetWitness Packets and Logs. Here are some of the meta values registered by the Hunting pack for the download sessions since mid-May [5]:
It is worth mentioning that over the same period of time, the filename in those download sessions has been constantly changing:
All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control IPs on Live with the following meta values:
- threat.source = ‘rsa-firstwatch’
- threat.category = ‘malspam’
- threat.description = ‘delivery-ip’
References:
- https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/zyklon-http-botnet/
- https://myonlinesecurity.co.uk/spear-phishing-fake-resume-malspam-leads-to-malware/
- https://www.virustotal.com/en/file/4ad419ebe91c3549eb18731c7bc6fd6bf2f7da83d6295b3c75efb684a8449486/analysis/
- https://www.virustotal.com/en/file/524ad16ac80b196a5507fc45adfff6edc2938d498bc8e736ac69a8be7e5e8034/analysis/
- https://community.rsa.com/docs/DOC-62341
