Trend Micro threat response engineer Alvin John Nieto reported the campaign in a blog post. "Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family Crigent (also known as ‘Power Worm'), which brings several new techniques to the table," he said.
"This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware, or downloaded or accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy."
In the first stage of the attack, criminals target a flaw in Windows PowerShell to steal critical information about the victim system. The information includes the system's IP address, location, user account privilege, OS version, architecture and language as well as what Microsoft Office applications and Office versions are running.
PowerShell is an interactive scripting tool that is available for all current versions of Windows and pre-built into Windows 7 and Windows 8. A Trend Micro spokesperson told V3 the use of PowerShell is atypical and suggests the attack is the first stage in a wider campaign.
"This attack appears primarily to be an analytical attack: one intended to gather information, likely for use in current or future attacks. The specific information it seeks to gather is Microsoft Office applications and versions. The attack is atypical in its use of the PowerShell scripting language: this isn't commonly used," they said.
They added that the attack use of the Tor and Polipo anonymising networks is dangerous as it hides the campaign's movements online.
"In this case the malware uses the Tor network to have infected systems contact the command and control (C&C) server for further instructions, specifically to transmit gathered information for central collection," said the spokesperson.
"Tor is used in a variety of ways by cyber criminals for its anonymising capabilities. In addition to this malware using Tor to obfuscate and make taking down the C&C server more difficult."
The spokesperson said concerned IT managers should protect themselves by "running a mature security suite like OfficeScan or Worry-Free Business Security and keeping them up to date."
Attacks using the Tor network are a growing problem facing the security community. Researchers from Kaspersky Lab reported uncovering evidence that criminals plan to release a new wave of advanced cyber attacks using the Tor network earlier in March.
No comments:
Post a Comment