Recent, large-scale distributions of the Zyklon botnet malware mark a continuing trend of off-the-shelf malware use. This multipurpose trojan, capable of supporting numerous criminal activities, has been identified in phishing attacks more and more frequently through the month of April. The bulk of these campaign have leveraged resume- and job-applicant-themed messaging as in the phishing narrative. The most recent analyses of this distribution have shown that the threat actors are attempting to leverage the malware’s full feature set by not only using it as an information stealer, but also as a downloader used to obtain and deploy the Cerber ransomware to infected endpoints. This technique demonstrates threat actor resourcefulness as well as the increasing commodification and democratization of malware utilities once reserved for only the most-technically-capable threat actors.
This Zyklon malware is a modular botnet malware designed to provide its users with a range of capabilities. At its core, it acts as a data stealer capable of extracting and exfiltrating information such as FTP and email credentials as well as those stored in a browser. An interesting category of targeted information is software and video game license keys. Additional modules provide the ability to log keystrokes, use infected machines for Bitcoin mining, add proxy server capabilities and act as a downloader for additional malware. One notable feature is Zyklon’s reliance on a connection to the Tor network for command and control communication facilitated by the inclusion of the Tor proxy stack.
The Zyklon botnet malware’s downloader capability has become a pathway for threat actors to deploy the Cerber ransomware to infected endpoints. This behavior allows threat actors to not only collect victims’ private data, but also to demand payment in exchange for decrypting files on the infected machine. The Cerber encryption ransomware rose to prominence in 2016 as a “ransomware-as-a-service” platform that made ransomware available to a wide audience of threat actors. Rather than forcing a relatively unsophisticated criminal to create and support a complex ransomware tool, Cerber helped further democratize the ransomware market by removing much of that burden.
The pairing of the Cerber encryption ransomware with the Zyklon botnet and downloader malware shows that robust, damaging, and destructive tools serves as a sign of lowered barriers of entry for threat actors. Phishing threat actors who hope to intrude upon an organization and potentially hold its data hostage are no longer forced to develop their own tools and maintain their own supporting infrastructure. Instead, access to these can be gained using simple techniques and simple tools available for low cost and with low technical overhead.
For more information on PhishMe’s human vetted, phishing-specific threat intelligence request a demo today.