Currently, these three vulnerabilities have been exploited to spread Zyklon malware via phishing emails, often in ZIP form and containing contaminated Office files.
When opened, this infected file runs a PowerShell script that will load the payload (Zyklon HTTP) on the victim's computer.'These techniques share the domain to load the payload at the next level (Pause.ps1), which is another PowerShell script encoded with Base64' , FireEye researchers said. 'Pause.ps1 handles the API needed to inject code. It also contains shellcode that can be injected. The injected code will load the payload from the server. The final payload is the PE executable file that is compiled with the .NET Framework '.
Interestingly, the PowerShell script connects all IP addresses without dots (Dotless IP Address - eg http: 3627732942) to download the last payload.
* Dotless IP Address is sometimes called Decimal Address which is the decimal value of IPv4 address (indicated by dots between the numbers). Most browsers currently convert Decimal Address addresses to equivalent IPv4 addresses when opening with 'http:///'.
For example, Google's IP address 216.58.207.206 converted to decimal value will be http:/// 3627732942.
See more:
According to BP