Word, Excel malware creeping under radar of sysadmins

By on
Word, Excel malware creeping under radar of sysadmins

Stealthy Crigent virus discovered.

A new malware family that could "creep under the radar" of many system administrators has been found infecting Microsoft Word and Excel files. 

The ‘Crigent/Power Worm' virus uses several new techniques to conceal itself – including working solely through the Windows PowerShell scripting tool rather than creating or including executable code.

The malware was revealed by Trend Micro in a blog post late last week. Threat response engineer Alvin John Nieto said IT administrators that are "normally on the lookout for malicious binaries" may overlook the virus, as "malware using this technique is not particularly common.”

Crigent hides in infected Word or Excel documents which can be dropped by other malware, or users may unknowingly download it via malicious links or websites.

Crigent then sends information about the user's server – including IT address, location and user account privilege level – and waits for commands from the attacker running it.

“Cyber criminals often use gathered user information as a way of doing analytics that could aid current or future attacks. In this particular case, it should be noted that the malware takes note of the MS Office applications and versions—which is crucial information for the routines to be successful or to push through," Trend Micro said in a statement.

It first spotted the malware earlier this month, and is still analysing which countries it is targeting. It is also yet to be able to attribute a source.

Crigent works by downloading two components which it immediately disguises by changing their name and hiding where they were sourced (the Tor network and Polipo personal web cache/proxy) in DNS records. The malware masquerades as legitimate files hosted in Dropbox and Microsoft OneDrive cloud sites.

“To someone examining the network traffic without looking at the actual files, all that would have been apparent was a pair of DNS queries to Google's public DNS servers, and a file downloaded from two well-known cloud services. Neither would be found particularly suspicious," Nieto said in the blog post.

“Aside from compromising the security of the infected system, Crigent also infects documents - which may contain critical information - and may render them useless due to their new ‘format'. Enterprises and individual users may lose crucial data.”

Trend Micro global threats communication manager, Christopher Budd, said the problem is exclusive to Windows systems.

“Crigent only targets Windows-based versions of Word and Excel, given that Powershell is exclusive to Windows. But this doesn't mean that newer versions of MS Office are truly ‘safe' from threats. Cyber-criminals are constantly creating/refining malware to include new targets—which could very well be the newer versions of MS Office.”

To protect themselves from Crigent, Nieto advised network administrators be suspicious of the presence of Polipo and Tor within an internal network, and recommended they also consider blocking Tor traffic to deter Crigent and other threats.

“It's worth noting that the file extensions that Crigent uses to save infected files as – .DOC and .XLS – are no longer the default file types. The versions of Office from Office 2007 onward use, by default, the .DOCX and .XLSX file extensions," he said.

"The presence of large numbers of new files using older formats may be a possible sign of the presence of Crigent.”

This article originally appeared at scmagazineuk.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition

Most Read Articles

Log In

  |  Forgot your password?