Uncommon new worm targets Word and Excel files
Posted on 28.03.2014
Trend Micro researchers have uncovered a new malware family targeting Word and Excel files: the Crigent worm (a.k.a. Power Worm).

Crigent uses the Windows PowerShell scripting tool to carry out its routines, which is a clever way to hide its presence from IT admins as they are concentrated on looking for malicious binaries.


It comes in the form of an infected Word or Excel document, downloaded by users or by some other malware that has already found its way to the victims' computer.

"When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy," the researchers explained.

"The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive)."

This is another way that the malware's actions remain hidden from network administrators.

The malware contacts the C&C server via the Tor and Polipo software. From it, it downloads a PowerShell script that contains code that carries out the worm's primary goal: send to the C&C server information about the compromised system.

This information includes the IP address, country and region names and codes, user account privilege, OS version and architecture, MS Office applications found on the system and its versions, and more.

Finally, the same script also infects other Word and Excel documents (.doc, .docx, .xls, and .xlsx) found on the system, and converts them to the older .doc and .xls formats, then deletes the original files.

"A Visual Basic module (which contains the malicious macro) is created and saved together with all the .doc and .xls files; opening any of these restarts the infection chain," they noted.

This change might make a lot of these files useless, and the nature of this malware a lot more destructive than it seemed initially.

Since the .doc and .xls extensions have not been the default ones since Office 2007, if you spot a great number of these files on your computer - and you know you haven't created them - you might want to check it for Crigent.









Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //