Saturday, March 29, 2014

Hackers hit Microsoft Word and Excel users with evolved Tor malware

Hackers are targeting Word and Excel users with a sophisticated new data-siphoning malware that hides its movements using the Tor network, according to security firm Trend Micro.

Trend Micro threat response engineer Alvin John Nieto reported the campaign in a blog post. "Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family Crigent (also known as ‘Power Worm'), which brings several new techniques to the table," he said.

"This particular threat arrives as an infected Word or Excel document, which may be dropped by other malware, or downloaded or accessed by users. When opened, right away it downloads two additional components from two well-known online anonymity projects: the Tor network, and Polipo, a personal web cache/proxy."

In the first stage of the attack, criminals target a flaw in Windows PowerShell to steal critical information about the victim system. The information includes the system's IP address, location, user account privilege, OS version, architecture and language as well as what Microsoft Office applications and Office versions are running.

PowerShell is an interactive scripting tool that is available for all current versions of Windows and pre-built into Windows 7 and Windows 8. A Trend Micro spokesperson told V3 the use of PowerShell is atypical and suggests the attack is the first stage in a wider campaign.