Fresh Worm ‘Crigent’ Attacks Excel/Word Documents, Finds Trend Micro

Researchers at Trend Micro recently detected one fresh malware group, which they dubbed Worm Crigent also known as Power Worm as it attacked Excel and Word documents.

The worm executed its regular operations via a scripting tool named PowerShell designed for Windows PCs so it could cunningly conceal itself from IT administrators who hunt for malevolent programs.

The Crigent enters systems through a contaminated Excel/Word file that Internauts download, alternatively through another malicious program, which is already on the target PC.

Once executed, Crigent immediately pulls down 2 extra components from the anonymous projects on Web famously known as Polipo (one private web proxy or cache) and Tor network.

Meanwhile, the infected files are disguised with different file-names. The attacker also conceals the place identifications they're hosted on, within the DNS records. Authentic cloud files for hosting purposes are used for storing the files' duplicates such as the OneDrive and Dropbox cloud hosts, within the current instance.

This further aids in hiding the worm's activities from network admin.

Crigent communicates with its command and control server through Polipo and Tor software. The server provides the malware the PowerShell script which has a code to help it upload details of the hijacked computer onto its CnC server. The details consist of the computer's Internet Protocol address, user account rights, location, operating system, language and architecture along with the names of Microsoft Office programs as well as their editions that maybe running.

One Spokesperson for Trend Micro described the PowerShell's utilization as uncommon so indicated that the assault was likely an initial phase of an expanded campaign. V3 published this dated March 28, 2014.

According to the Spokesperson, the assault utilizing the anonymity enabling networks of Polipo and Tor was dangerous since that concealed the malware's operations on the Web.

The Spokesperson elaborated that Crigent using Tor made the contaminated computers interact with the CnC server to receive directions, particularly for sending collected information from the system.

Christopher Budd, Communication Manager for Global Threats at Trend Micro described the problem as solely devised for Windows computers. SCMagazineUK.com published this dated March 28, 2014.

» SPAMfighter News - 4/4/2014