Hackers could abuse a feature that allows you to attach a video directly to a Word document for the victim to download and run malware on their computer
Cybersecurity and digital forensics researchers from the International Institute of Cyber Security report the emergence of a malware campaign that abuses the feature to attach videos to a Word document to deliver malicious code that victims could download on their computers. According to the investigators, producing a document that delivers the malicious payload is pretty easy.
According to digital forensics experts, to carry out this attack, an attacker must first create a Word document, fill it with the most appropriate content for their purposes, then use Insert – Online video option, add a YouTube video to the document and save the file.
The saved file must be unpacked, either with a specific tool or by changing the .docx extension to a .zip extension and unzipping it. These actions allow the attacker to access an XML file named document.xml in the Word folder, open it and edit it.
Instead of the YouTube iframe code for the video (included after the embeddedHtml parameter), the attacker can choose to put a malicious HTML or JavaScript code, and then save the changes, update the package.docx and find a way to deliver the file to the victim and get them to open the file and click on the built-in video to access its content.
This interaction with the video will activate the download of the built-in executable file when the victim opens the Internet Explorer Download Manager. A window will appear asking the attack victim whether to run or save the file, but they will not be warned about the possible dangers of doing so. For their bad fortune, many users do not think twice before clicking, approving the execution of malicious load.
According to experts in digital forensics: “Attackers could use this feature for malicious purposes such as phishing, as the document will show the attached video with a link to YouTube, while disguise a hidden HTML/JavaScript code that will run on background and could lead to a subsequent malicious code execution scenario”.
So, what do users can do?
Experts claim this incident should be considered as a vulnerability with the potential to affect all users with Office 2016 and earlier versions of the productivity suite.
Microsoft has already been notified of the vulnerability, but the enterprise has reported that for now they do not plan to do anything about it because the software is correctly interpreting the HTML as it is designed. But if the feature begins to become more widely abused, the company might end up launching some update patch.
According to reports of specialists in digital forensics, a similar situation occurred last year when, after a considerable increase in the malware campaigns that abused the Dynamic Data Exchange (DDE) function in Word; Microsoft initially said it was a function, not a vulnerability, and simply offered risk mitigation tips to an attack scenario, but eventually ended up disabling DDE by default to stop the rise of function abuses.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.