Making use of a contaminated Excel/Word file, a new malware family named Crigent enters the system of a targeted user. Crigent, which is dropped by other Malware hides in the infected Word or Excel documents. Using a scripting tool named Windows PowerShell, Crigent Worm easily performs its regular operations and successfully hides itself from network administrators.
When the infected file is opened, right away it downloads two additional components from online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy. It then communicates with its command and control server through these softwares. The server gives Crigent the PowerShell script that helps it upload details of the attacked PC onto its CnC server.
At the same time, Crigent gives different file-names to the infected files and also hides the place identifications where they’re hosted, within the DNS records. The attacker uses authentic cloud files for storing the files’ duplicates such as the OneDrive and Dropbox cloud hosts. This further helps the attacker to hide the worm’s activities from network admin.
Moreover, using a PowerShell script code, the following information of the user’s system is sent back to the C&C server:
- IP Address
- Country code
- Country name
- Region code
- Region name
- City
- Zipcode
- Latitude
- User account privilege
- OS version
- OS architecture
- Domain
- OS Language
- Microsoft Office applications
- Microsoft Office versions
The downloaded PowerShell script can infect other Word and Excel documents too. It also disables the ‘alerts’ and ‘macros’ of the Word and Excel docs to be infected, so that the users are not alerted.
It then converts any existing .docx and .xlsx to the infected .doc and .xls formats, respectively, and cleverly deletes the content of the original file. Now, when the user opens any of these files, Crigent will restart the infection chain.
However, to detect the presence of CRIGENT within a network, the presence of Polipo and Tor within an internal network should be first taken into consideration. This is something that network administrators should easily detect so that the users stay protected against CRIGENT and other threats that uses TOR.
Nevertheless, to see whether your system is infected or not, use the Free eScan tool kit from here https://www.escanav.com/english/content/products/MWAV/escan_mwav.asp
Ensure total protection with eScan Security Solution and enjoy a worry-free life.
