The unpatched computers that run the Microsoft productivity suite Office are targeting a wave of Zyklon-based malware attacks, which can steal passwords and wallet data.
FireEye security company warns that these attacks involve three different Office vulnerabilities, two of which have already been corrected by the Office Microsoft.
The first bug is a .NET framework bug that is described in detail in CVE-2017-8759 and which Microsoft corrected in October. The second is a remote code execution bug in the Microsoft Equation Editor (CVE-2017-11882) and was repaired in November, while the third is a fairly controversial issue in Dynamic Data Exchange (DDE).
Microsoft has pointed out that this third error is not a security vulnerability and does not require a patch, but the company published information on how to stay protected when using this feature.
FireEye reports that attacks are transmitted via emails containing corrupted DOC files that attempt to exploit these vulnerabilities. As soon as it starts, the document attacks the server, allowing attackers to use all of Zyklon's malware, including password-crashed storages stored in browsers, FTP connections, gaming keys recovery, and collection licenses for software developed by Adobe and Microsoft.
Additionally, malware can capture the clipboard, steal Bitcoin data, and can also create a SOCKS5 server on the infected computer.
Zyklon was first identified at the beginning of 2016, but FireEye reports that most of these attacks are now targeting three different industries, namely telecommunications, insurance and financial services.