Zyklon is a strong and stable HTTP botnet it supports TOR browser and can handle unlimited tasks. It has serval credential stealers from the latest recoveries and has some other DDoS features.
- Encrypted communication
The connection between client and server is encrypted using RSA asymmetric encryption algorithm (Valid key sizes are 512-bit, 1024-bit, 2048-bit, 4096-bit) that is paired with AES-256. AES-256 keys are dynamically generated on the client and are encrypted before being stored in a session variable in the panel. After the initial key exchange, the whole communication is encrypted with AES-256.
- Sock5 remote proxy
Zyklon features the ability to establish a reverse Socks 5 proxy server on infected host machines.
- Hijack Clipboard Bitcoin Address
Zyklon has the ability to hijack the clipboard and replaces the user’s copied bitcoin address with an address served up by the actor’s control server.
- Cloud-based malware inspection Zyklon HTTP botnet will enumerate all startup files and upload them to the Virus Total online malware scanner. This will lead to analyzing of samples of malicious software that resides on the system. If the file is found to be malicious, Zyklon HTTP botnet will terminate all processes associated with that file and remove the file along with the registry keys from the system. This is a great option for perpetrators to ensure that their enslaved client systems are running without disruption. The botnet user can specify files to exclude from VirusTotal, and by calculating the MD 5 hash of the file Zyklon HTTP botnet will skip it while scanning.
While the Cloud-based malware inspection relies on Virus Total, bot killer uses its own algorithm to determine if a file is malicious or not. This method tends to have more false-positive detections. When using this feature, Zyklon HTTP botnet will scan all processes and will check common locations that malware resides in. It will attempt to detect injected processes and it will try to identify malware by behavioral analysis. If a file is detected as malicious the program will follow the settings specified in the bot killer feature, leading to the process termination and deletion of all associated files and registry keys. Like the Cloud-based malware inspection, this feature keeps an enslaved client machine secure and available.
The keylogger is a great feature when it comes to client surveillance. It will record all keystrokes and log them into a database. The logs are sorted by dates and can be accessed from almost anywhere in the C&C panel. The control panel also lets one specify the window titles to record keystrokes for, as opposed to bloated logs with all kind of entries. The keylogger supports most if not all languages and keyboard layouts. The user can specify the maximum amount of characters that will client hold in a buffer before they are sent to the panel, or set an interval at which the logs are being uploaded to the panel.
- Automatic updater
Zyklon HTTP botnet features automatic update function that ensures that all enslaved clients are running up to date software. When executed, it compares the update file hash and installed file hash and if found different – an updated file will be downloaded and installed. This comes very handily when controlling many clients.