Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - "Power Worm" PowerShell based Malware InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

"Power Worm" PowerShell based Malware

Published: 2014-04-06
Last Updated: 2014-04-06 16:06:12 UTC
by Basil Alawi S.Taher (Version: 1)
2 comment(s)

In the past few years one of the major improvements in the Windows environment was PowerShell. With Unix-style scripting capabilities automating windows administration tasks become possible. One of the major advantages of PowerShell is that it’s support most of Microsoft products from MS Office to Enterprise level applications such as MS SharePoint and MS Exchange.

But is it possible to use PowerShell for malicious purpose? If you remember the Melissa which was written in MS Office macro but that was in 1999 is it still possible?  

According to TrendMicro[1] a new malware has been discovered that written in PowerShell. CRIGENT (aka Power Worm), TrendMicro has detected two malicious files (W97M_CRIGENT.A and X97M_CRIGENT.A) .These files arrived in an infected Word or Excel file.

The malware will download and install tor and Polipo then connect to Command and Control server. The malware collect some information from user’s machine (such as IP address, User account privileges Version, latitude...) and send it to its C&C server. In addition Power worm will infect other Word/Excel files, disable macro alerts and it will downgrade the infected file from Docx/xlsx to Doc/xls.  

The best way to stop such a malware is disabling macro and don’t open any file from untrusted source.


2 comment(s)
Diary Archives