The ‘Crigent/Power Worm' virus, revealed by Trend Micro in a 27 March blog, uses several new techniques to conceal itself – including working solely through the Windows PowerShell scripting tool rather than creating or including executable code.
Blog author Alvin John Nieto, a threat response engineer with TrendLabs, said this means: “IT administrators that are normally on the lookout for malicious binaries may overlook this, as malware using this technique is not particularly common.”
Security expert Kevin O'Reilly, senior consultant at UK-based Context Information Security, confirmed that Crigent “may well fly under the radar of a lot of system admins who are used to watching out for executable malware”.
TrendLabs says Crigent hides in infected Word or Excel documents which can be dropped by other malware, or users may unknowingly download it via malicious links or websites.
Crigent then sends information about the user's server – including IT address, location and user account privilege level – and waits for commands from the attacker running it.
Asked about Crigent's purpose, the company told SCMagazineUK.com via email: “Cyber criminals often use gathered user information as a way of doing analytics that could aid current or future attacks. In this particular case, it should be noted that the malware takes note of the MS Office applications and versions—which is crucial information for the routines to be successful or to push through.”
TrendLabs first saw the malware on 8 March and is still analysing which countries it is targeting. Asked about its source, the company said: “We're not able to make a formal attribution.”
Crigent works by downloading two components which it immediately disguises by changing their name and hiding where they were sourced (the Tor network and Polipo personal web cache/proxy) in DNS records. The malware masquerades as legitimate files hosted in the well-known Dropbox and Microsoft OneDrive cloud sites.
Nieto explained: ““To someone examining the network traffic without looking at the actual files, all that would have been apparent was a pair of DNS queries to Google's public DNS servers, and a file downloaded from two well-known cloud services. Neither would be found particularly suspicious.”
And he warned: “Aside from compromising the security of the infected system, Crigent also infects documents - which may contain critical information - and may render them useless due to their new ‘format'. Enterprises and individual users may lose crucial data.”
In his analysis of the malware, Kevin O'Reilly told SCMagazineUK.com via email that Crigent “breathes new life” into Microsoft Office macro viruses which have become “something of a rarity”. He explained: “Crigent makes use of PowerShell as well as an interesting trick with DNS records to bring this threat right up to the present day.”
O'Reilly also confirmed that the Windows-based malware family doesn't currently threaten users who may be running run MS Office on Android devices - or the just-announced iPad version. He said: “Its dependence on PowerShell limits it to modern Windows systems, a saving grace for newer versions of Office on mobile platforms.”
“This will come as little consolation to the majority who use Office on Windows and potentially face data loss with the malware's crude attempts to convert documents to older formats to enable its spread, deleting the original documents in its wake.”
And TrendLabs global threats communication manager, Christopher Budd, told SCMagazineUK.com that the problem is exclusive to Windows systems.
“Crigent only targets Windows-based versions of Word and Excel, given that Powershell is exclusive to Windows. But this doesn't mean that newer versions of MS Office are truly ‘safe' from threats. Cyber-criminals are constantly creating/refining malware to include new targets—which could very well be the newer versions of MS Office.”
To protect themselves from Crigent, Nieto advises: “There are several ways to detect its presence within a network. For starters, the presence of Polipo and Tor within an internal network should be suspicious.” He said network administrators should also consider blocking Tor traffic to deter Crigent and other threats.
Nieto added: “It's worth noting that the file extensions that Crigent uses to save infected files as – .DOC and .XLS – are no longer the default file types. The versions of Office from Office 2007 onward use, by default, the .DOCX and .XLSX file extensions. The presence of large numbers of new files using older formats may be a possible sign of the presence of Crigent.”