MS Office files used to spread malwares

New malware have been observed by TrendMicro that is targeting Microsoft office files. The virus is using windows PowerShell script which is allowed on many environments by system administrator to customize OS configuration.

The malware is named CRIGENT and it integrates itself with word or excel document. When the victim opens the malicious file it will execute and download two components hosted on cloud providers using Tor and Polipo. Cyber-criminal are masking the URL in DNS records.

Opening the URL will run a PowerShell script to get users information including IP , country code, OS version , Domain, OS language, Office application version, victim location and the script will keep monitoring the information with each system start up.

crigent2-2screenshot for the PS script modifying reg keys

Usually on local network it is important to monitor the traffic and if we detect connection to non standard protocols it is required to make more investigation and identify the root cause for the issue. We may prevent this on the firewall level because this indicate a risk for infected systems.

Trend Micro already have the appropriate signature to make users protected against this malware so keep you security software updated.

Notify of
Inline Feedbacks
View all comments