Crigent uses the Windows PowerShell scripting tool to carry out its routines, which is a clever way to hide its presence from IT admins as they are concentrated on looking for malicious binaries.
It comes in the form of an infected Word or Excel document, downloaded by users or by some other malware that has already found its way to the victims' computer.
"When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy," the researchers explained.
"The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive)."
This is another way that the malware's actions remain hidden from network administrators.
The malware contacts the C&C server via the Tor and Polipo software. From it, it downloads a PowerShell script that contains code that carries out the worm's primary goal: send to the C&C server information about the compromised system.
This information includes the IP address, country and region names and codes, user account privilege, OS version and architecture, MS Office applications found on the system and its versions, and more.
Finally, the same script also infects other Word and Excel documents (.doc, .docx, .xls, and .xlsx) found on the system, and converts them to the older .doc and .xls formats, then deletes the original files.
"A Visual Basic module (which contains the malicious macro) is created and saved together with all the .doc and .xls files; opening any of these restarts the infection chain," they noted.
This change might make a lot of these files useless, and the nature of this malware a lot more destructive than it seemed initially.
Since the .doc and .xls extensions have not been the default ones since Office 2007, if you spot a great number of these files on your computer - and you know you haven't created them - you might want to check it for Crigent.