Skip to main content

Zyklon malware returns to target fresh Office vulnerabilities

(Image credit: Photo Credit:

Experts have warned that devices running unpatched versions of the Microsoft Office suite are at risk of having their passwords stolen and having their data compromised.

According to security researchers at FireEye, the Zyklon malware, first spotted in 2016, has resurfaced to target a recently discovered vulnerability in Office. 

Through Zyklon, cyberattackers can harvest passwords, or use the infected machine for DDoS attacks.

"The malware can download several plugins, some of which include features such as crypto-currency mining and password recovery, from browsers and email software," warned FireEye security researchers Swapnil Patil and Yogesh Londhe in an online advisory detailing the many dangers posed by Zyklon.

This time around, however, Zyklon is targeting businesses, including financial institutions, insurance and telecom companies.

The malware leverages Office vulnerability (CVE-2017-11882), infecting a system through malicious email attachments. When the attachment is opened, another file is downloaded in an embedded OLE (Object Linking and Embedding). This contains a PowerShell command that finally downloads the malware.

"What stands out the most to me is that the Zyklon malware is being packaged with pricing tiers based on features. We have seen many attacks now leveraging Tor for outbound communication and PowerShell for malware updates," said Morales in email remarks sent to eWEEK. Tor is free open source software that enables anonymous web communication.

"We have even seen a large influx of crypto-currency mining tools over the last 6 months, in particular within universities," added Morales, before noting that Zyklon gathers multiple malicious software components "into single package that can be neatly deployed by an end user, just like you would add features to the base price of a car."

Photo Credit: