Another dangerous malware case has been on the rise and it is exploiting human negligence and out of date software. The name of the malware is called Zyklon, and it is specifically coming for Microsoft Office users through their inboxes. The malware was first identified in 2016 as accessible to the public and it seems to be making a strong comeback. Zyklon is currently spreading by way of a global phishing campaign with very sophisticated emails.The emails are not targeting everyone though, the attackers seem focused on three industries: telecommunications, insurance, and financial services. Once Zyklon makes it on a vulnerable system it has the capability to communicate with a remote command and control server, making Zyklon a backdoor, which enables the malware to: keylog, acquire passwords, download plugins, execute downloaded plugins, launch a DDoS attack, self-update, and self-destruct. Essentially this backdoor allows the attack to launch any type of attack they want on an organization. If they decide they want to hold your device (and network too) hostage for a ransom, they can do that.

If the attacker wants to steal every password you have saved in your browser, that too is possible. This malware provides a variety of opportunities for a malicious hacker to steal data, credentials, or just outright sabotage your organization. Let’s explore how Zyklon works and how you can stay safe.

How Zyklon Works

The resurfaced malware has a common means of infiltration, as an email attachment. The attack starts as a fake email. The email is very well crafted and contains a zip file. The zip file is a word doc that is packaged with three exploits of Microsoft Office. The three vulnerabilities that the exploits target were patched by microsoft in September 2016 but there are many users who have not updated their software. The exploits download the “Powershell” payload, then they begin downloading the final payload, which is the command and control server. One the command and control server is download, a remote user now have full access to the terminal.

FireEye Inc has put together a visual graphic to demonstrate how the attack flow happens, which only takes a few seconds.

Zyklon Malware Campaign Exploits Microsoft Office
Darknet Involvement

Zyklon is available on the Darknet and comes in a variety of formats. The standard version will cost a buyer around $75 USD. There is an additional charge for the Tor-enabled version that makes investigation tougher, if not impossible for victims. The cost for the Tor-enabled version averages at $125. What should concern organizations and IT professionals is that this malware is readily available in many markets on the darknet. You can explore our series on the darknet if you want to understand the dynamics of the darknet.

How to Stay Secure

Thankfully Zyklon is able to be prevented from infecting your systems with some simple adjustments. If this is your first time implementing the following security practices it is suggested to continue them to prevent other malware attacks from impacting your organization. No security is 100% proof but by implementing better security practices you can dramatically reduce your risk.


Zyklon is only able to exploit out of date Microsoft Office software. Microsoft has actually patched the vulnerabilities months ago, in September. If you have auto-updates setup on Microsoft Office you are protected from this malware that is spreading. The practice of staying up to date, is absolutely critical in today’s security environment. Your operating systems, firmware, and software must always remain up to date. If not well you run the risk of being susceptible to dangerous malware such as WannaCry, NotPetya, and Zyklon.

Email Monitoring

The primary means of distribution for the Zyklon malware is email. By not keeping track of this important communication channel we run the risk of not being attacked by malware such as Zyklon. It is important to understand when one of your employees is about to become victim of a phishing scheme or social engineering attempt. Social engineering is when malicious actors attempt to manipulate unsuspecting victims into opening a dangerous file or giving up information. Anyone is susceptible to social engineering, even agencies like the CIA, where they recently gave intelligence operations details to a 15 year old by accident. The term social engineering covers a large array of activities, including phishing.

The emails that the hackers are sending are an example of a social engineering attempt to get potential victims to download the zip file, unzip it, and open the containing word document. Email monitoring is not difficult and there are open source tools out there for carrying out the task, but often it is better to have a privately managed solution in case any vulnerabilities are discovered. Teramind’s email monitoring is integrated with a risk profiling tool to indicate which employees and departments may be most susceptible to a phishing attempt.

Monitoring email can be something of an ethical dilemma for some managers. If you have concerns you should look into the laws of your state about it. Throughout the US email monitoring of business accounts is allowed but some states may require that you inform employees of any monitoring activity.

Employee Training

Lastly, to prevent other malware attacks that may be more dangerous than Zyklon some employee training paired with education needs to happen. While it does help to teach employees about phishing attempt, research has demonstrated that training helps to decrease phishing susceptibility by up to 40% in an organization. While employee training may be an investment in itself cannot prevent phishing from happening, it does decrease your risk of an employee falling victim to it

Staying Vigilant

You need to prepare for an increase in cyber security attacks and more dangerous malware distributions. Businesses need to be more prepared for the uncertain times that we live in. Cyber attacks may happen for any number of reasons including financial extortion and hacktivism. Keeping your business safe is the most effective way to reduce risk in today’s world. Click below to learn more about Teramind.

Insider Threat Detection