Just one month after a proof of concept (PoC) was released by the research firm Cymulate showing how the online video feature in Microsoft Word can be used to deliver malware, a sample of such an attack has been found in the wild.

Trend Micro threat analysts Michael Villanueva and Toshiyuki Iwata found a sample, identified as TROJ_EXPLOIT.AOOCAI, that was spreading the URSNIF information stealer. While the basic delivery system was the same between the PoC and the in-the-wild version, some improvements were noted in the latter malware.

The PoC used the msSaveorOpenBlob method to decode a base64-encoded binary embedded with a video tag, as well as, being triggered when the victim clicks the video frame. Once the malware is downloaded the target is prompted through IE’s download manager to run or save the executable.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.