Just one month after a proof of concept (PoC) was released by the research firm Cymulate showing how the online video feature in Microsoft Word can be used to deliver malware, a sample of such an attack has been found in the wild.
Trend Micro threat analysts Michael Villanueva and Toshiyuki Iwata found a sample, identified as TROJ_EXPLOIT.AOOCAI, that was spreading the URSNIF information stealer. While the basic delivery system was the same between the PoC and the in-the-wild version, some improvements were noted in the latter malware.
The PoC used the msSaveorOpenBlob method to decode a base64-encoded binary embedded with a video tag, as well as, being triggered when the victim clicks the video frame. Once the malware is downloaded the target is prompted through IE’s download manager to run or save the executable.
The live sample eliminates the msSaveorOpenBlob step. Instead, once the video is clicked the malware directly accesses the malicious URL and downloads the final payload. The the IE download manager is replaced with a fake Flash Player update that encourages the victim to run or save. Overall, Trend Micro described the new method as a simpler and possibly more effective than the PoC.
A quick look at how the Microsoft Word document can be created was offered by Cymulate co-founder and CTO Avihai Ben-Yossef. He said attackers can exploit the flaw by first embedding a video inside a Word document, then unpacking the doc in order to single out the file “document.xml.” Next, the factors can replace that XML file’s iframe code with a crafted payload. “Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file,” the blog post states.
Cymulate has warned Microsoft of the flaw, but that firm declined to issue a CVE.
“In response to Cymulate’s claims, Jeff Jones, senior director at Microsoft told SC Media in October, “The product is properly interpreting html as designed — working in the same manner as similar products.”
Since the flaw will not receive a patch, Trend Micro recommends blocking Word documents that has the embeddedHtml tag in their respective XML files or disabling documents with embedded video.