Zyklon Campaign Targets Telecommunications, Insurance, and Financial Services

FireEye researchers discovered a malicious email campaign attempting to distribute Zyklonmalware to targets within the telecommunications and financial services sectors, as well as targets within the insurance industry. This campaign delivers a malicious Word document within a ZIP file that is attached to the emails. The malicious Word document contains an embedded OLE Object that, when executed, initiates the download of an additional document from an external URL. The additional document launches a PowerShell command to deliver Zyklon to the target’s system. Once a system is infected, it establishes communication with a C2 server, is joined to a botnet, and can be used to conduct distributed denial-of-service (DDoS) attacks against other targets. Zyklon also contains keylogging functionality and can steal passwords stored in web browsers, FTP applications, and email clients. The NJCCIC recommends users and administrators within the aforementioned sectors and industries review the FireEye report for additional technical details and scan their networks for the associated Indicators of Compromise (IoCs). If you encounter an affected system, isolate it from the network immediately and thoroughly clean or reimage the system’s hard drive before recommissioning it.