• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Word and Excel Files Infected Using Windows PowerShell

Word and Excel Files Infected Using Windows PowerShell

  • Posted on:March 27, 2014 at 1:16 pm
  • Posted in:Malware
  • Author:
    Alvin John Nieto (Threat Response Engineer)
11

Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.A and X97M_CRIGENT.A.)

Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell to carry out its routines. PowerShell is a powerful interactive shell/scripting tool that is available for all current versions of Windows (and is built-in from Windows 7 onwards); this malware carries out all its behavior via PowerShell scripts. IT administrators that are normally on the lookout for malicious binaries may overlook this, as malware using this technique is not particularly common.

Arrival and Additional Components

This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware or downloaded/accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects:  the Tor network, and Polipo, a personal web cache/proxy.

The attacker disguised both what these files were (by changing their file name), and where they are hosted by hiding this information in DNS records. Copies of these files are stored using legitimate cloud file hosts (in this case, Dropbox and OneDrive). The URLs of these files were hidden in DNS records. How was this done?

He had access to the DNS records of two separate domains, and created one subdomain under each of these domains. However, he did not point the subdomains to any particular IP address at all. Instead, he stored text inside the DNS records and queried specifically for TXT records. (To evade local DNS blocking, he made these queries directly to public Google DNS servers.) The command to do so in Windows would have been:

  • nslookup -querytype=TXT {malicious domain} 8.8.8.8

Each of the two queries returned a text string with a URL pointing to a legitimate cloud storage provider. One of these links went to Dropbox, the other to Microsoft’s OneDrive. To someone examining the network traffic without looking at the actual files, all that would have been apparent was a pair of DNS queries to Google’s public DNS servers, and a file downloaded from two well-known cloud services. Neither would be found particularly suspicious.

Command and Control

Using the installed Tor and Polipo software, it accesses its command-and-control server. The URL it uses contains two GUIDs, as seen below:

  • {C&C server}/get.php?s=setup&mom={GUID #1}&uid={GUID #2}

Curiously, if the above website is accessed with missing or incorrect GUIDs, the C&C server delivers the following slightly profane message in German:

Figure 1. C&C server

However, if the fields are correct, a PowerShell script (detected as VBS_CRIGENT.LK or VBS_CRIGENT.SM) is downloaded which includes all the code necessary to carry out CRIGENT’s malicious behavior. For starters, the following information about the user’s system is sent back to the C&C server:

  • IP Address
  • Country code
  • Country name
  • Region code
  • Region name
  • City
  • Zipcode
  • Latitude
  • User account privilege
  • OS version
  • OS architecture
  • Domain
  • OS Language
  • Microsoft Office applications
  • Microsoft Office versions

In addition to the above behavior, the script also communicates with the server at every system startup where it listens for commands. Ports related to Polipo and Tor are also opened.

Infecting Word and Excel files

The downloaded PowerShell script also contains the necessary code to infect other Word and Excel documents with the malicious CRIGENT code. To do this, it uses PowerShell scripts to modify registry entries, which lowers the security settings of Microsoft Office.

Figure 2. Script modifying registry entries

It then searches for all document files of either Microsoft Word or Microsoft Excel – *.DOC, *.DOCX, *.XLS, and *.XLSX – in all available drives. It also disables the ‘alerts’ and ‘macros’ of the files to be infected, so as not to alert the users.

Any existing .DOCX and .XLSX files are converted to the previous .DOC and .XLS formats, respectively, with the originals being deleted. A Visual Basic module (which contains the malicious macro) is created and saved together with all the .DOC and .XLS files; opening any of these restarts the infection chain.

Figure 3. Script searching for Word/Excel files

Aside from compromising the security of the infected system, CRIGENT also infects documents (which may contain critical information) and may render them useless due to their new “format”. Enterprises and individual users may lose crucial data.

Detecting CRIGENT

There are several ways to detect the presence of CRIGENT within a network. For starters, the presence of Polipo and Tor within an internal network should be suspicious. We had earlier discussed how to detect and block Tor traffic; this is something that network administrators should consider looking into to deter CRIGENT and other threats using TOR.

In addition, it’s worth noting that the file extensions that CRIGENT uses to save infected files as – .DOC and .XLS – are no longer the default file types. The versions of Office from Office 2007 onward use, by default, the .DOCX and .XLSX file extensions, with support for the earlier file formats being kept for legacy and backward compatibility purposes. The presence of large numbers of new files using older formats may be a possible sign of the presence of CRIGENT.

We noted in our 2014 Security Predictions that cybercriminals will use Tor to hide their activities more deeploy, which is what happened here. They also used PowerShell, a key feature of versions of Windows from Windows 7 onwards, to carry out their routine. That, combined with the use of legitimate cloud storage sites, highlights how cybercriminals want to use legitimate services and features for their attacks.

Trend Micro protects users from this malware via blocking all related URLs and detecting the malware involved.

Update as of 2:30 AM PDT, March 28, 2014

The hashes of some of the files used in this attack are:

  • DE59D4F265599C1931807DF6D506BA11E1DBA2DC
  • FFEF3D961C9729660A0009AFC8A149800B84D8F1
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: CRIGENTMalwareMicrosoft ExcelMicrosoft WordPowershell

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.