There is a new malware family targeting Word and Excel files called the Crigent worm.
Crigent uses the Windows PowerShell scripting tool to carry out its routines, which is a solid way to hide its presence from IT watchdogs as they concentrate on looking for malicious binaries, said researches at Trend Micro.
It comes in the form of an infected Word or Excel document, downloaded by users or by some other malware that has already found its way to the victims’ computer.
“When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy,” the researchers said in a blog post.
“The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive).”
This is another way the malware’s actions remain hidden from network administrators.
The malware contacts the C&C server via the Tor and Polipo software. From it, the malware downloads a PowerShell script containing code that carries out the worm’s primary goal: send to the C&C server information about the compromised system.
This information includes the IP address, country and region names and codes, user account privilege, OS version and architecture, MS Office applications found on the system and its versions, and more, the researchers said.
The same script also infects other Word and Excel documents (.doc, .docx, .xls, and .xlsx) found on the system, and converts them to the older .doc and .xls formats, then deletes the original files.
“A Visual Basic module (which contains the malicious macro) is created and saved together with all the .doc and .xls files; opening any of these restarts the infection chain,” the researchers said.
This change might make a lot of these files useless, and the nature of this malware a lot more destructive than it seemed initially.
Keep in mind the .doc and .xls extensions have not been the default ones since Office 2007.