Cybercriminals abuse Office embedded online video feature to distribute malware

Cybercriminals are using a new method to distribute malware through the online video feature of Microsoft Office. The method was disclosed in October this year and it didn't take long for cybercriminals to abuse it in 'the wild'. The method works by embedding a file instead of a video in Office. Microsoft has stated it won't fix the issue.

ADVERTISEMENT

(How the attack works - Credits: Trend Micro)

The attack works by abusing the ability of Microsoft Office to embed online videos in a document. When the document is opened, the video is loaded from an online location such as YouTube. In the now discovered attack, the attackers don't embed a video but a file. Office checks whether users actually embed video, but the attackers bypass this measure by modifying the source code of the Office document.

Microsoft has also added another protection to Office documents called Protected View. All documents from unsafe location are opened in read-only mode and a yellow message bar explains the document can only be read and not edited. In Protected View it's also not possible to click embedded videos e.g. to play them. Users can exit Protected View by clicking 'Enable Editing'.

ADVERTISEMENT

When the document is no longer in Protected View and users click the video, a file is downloaded that that tries to resemble the installation file of Adobe Flash Player. This trick should convince users that they are unable to playback the video because their Flash Player is not (properly) installed. When they try to install the fake Adobe Flash Player, they actually install malware.

The described method was discovered last October and reported to Microsoft which stated it doesn't consider the issue a vulnerability. According to Trend Micro, the software giant found that the online video embedding feature is working as intended/designed.

Nevertheless, two weeks after the method was disclosed, it has been discovered in real world attacks. In these attacks, cybercriminals distribute the Ursnif malware which tries to steal passwords, cookies, private keys and internet banking data.

ADVERTISEMENT

Users who want to protect themselves against such an attack should not open Word documents that contains an embedded HTML tag or block documents with embedded video.

No posts to display