We were alerted to reports of a Crisis/MORCUT malware that supposedly spreads on VMware virtual machines. Our previous post about Crisis/MORCUT cites that it is a backdoor found to specifically target Mac OSX systems. This time around, the Crisis/MORCUT we have on our hands runs in Windows, and interestingly, mounts on virtual disks.
Currently, arrival for this variant is still to be determined, though it might have started from the downloading of a malicious Java applet (detected as JAVA_AGENT.NTW). The Java applet is packaged with two files: mac – the backdoor OSX_MORCUT.A, and win – a worm detected as WORM_MORCUT.A. The win file is executed in a Windows operating system. This file then drops the following component files:
- IZsROY7X.-MP – (32-bit DLL) currectly detected as WORM_MORCUT.A
- t2HBeaM5.OUk – (64-bit DLL) currently detected as WORM_MORCUT.A
- WeP1xpBU.wA – (32-bit device driver) detected as TROJ_MORCUT.A
- 6EaqyFfo.zIK – (64-bit device driver) detected TROJ_MORCUT.A
- lUnsA3Ci.Bz7 – (32-bit DLL) a non-malicious file
Based on our initial analysis, WORM_MORCUT.A has the ability to spread through USB devices and VMware virtual disks. It uses the device driver component TROJ_MORCUT.A to mount on virtual disks. Note that while it has spreading capability, we are not seeing a lot of infections for both WORM_MORCUT.A and TROJ_MORCUT.A as of this writing.
As we earlier reported in our Cloud Security blog post, our initial analysis reveals this Crisis/MORCUT variant may affect Type 2 Hypervisor deployments. The protection provided by both Trend MicroT Deep SecurityT or Trend MicroT OfficeScanT ensures that Trend Micro customers are safe from Crisis/MORCUT malware.
Analyses on both WORM_MORCUT.A and TROJ_MORCUT.A are underway. Watch this space for updates on those. In the meantime, OfficeScan users should update to the latest patterns. All patterns are available in our Download Center.
Leave a reply