Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

How to deliver malware using weaponized Microsoft Office docs embedding YouTube video

Researchers at Cymulate security firm devised a new stealthy technique to deliver malware leveraging videos embedded into weaponized Microsoft Office Documents. The technique could be used to execute JavaScript code when a user clicks on a weaponized YouTube video thumbnail embedded in a Weaponized Office document. Experts pointed out that no message is displayed by […]

weaponized Microsoft Office Documents

Researchers at Cymulate security firm devised a new stealthy technique to deliver malware leveraging videos embedded into weaponized Microsoft Office Documents.

The technique could be used to execute JavaScript code when a user clicks on a weaponized YouTube video thumbnail embedded in a Weaponized Office document.

Experts pointed out that no message is displayed by Microsoft Office to request the victim’s consent.

“Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code. Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.” reads the analysis published by Cymulate.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file”

The experts created a proof-of-concept attack using a YouTube video link embedded in weaponized Microsoft Office documents.

When a video is embedded in a Word document, an HTML script is created and it is executed by Internet Explorer when the thumbnail into the document is clicked.

The researchers found a way to modify that HTML script to point to malware instead of the real YouTube video.

A default XML file named ‘document.xml’ can be edited by an attacker, in particular, it is possible to modify the video configuration included in a parameter called ’embeddedHtml’ and an iFrame for the YouTube video, which can be replaced with attacker HTML.

In the attack scenario presented by the researchers, they included in their own HTML a Base64-encoded malware binary that opens the download manager for Internet Explorer, that in turn installs the malicious code.

The expected video will be displayed without raising suspicious, while the malware is silently installed on the victim’s machine. Expert shared a video PoC of the attack.

Below the workflow of the attack:

  • Create a Word Document. 
  • Embed an online video: Insert -> online video and add any YouTube video.
  • Save the Word document with the embedded online video.
  • Unpack the Word document: Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:
  • Edit the document.xml file under word folder
  • Inside the .xml file, look for embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code. Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.
  • Save the changes in document.xml file, update the docx package with the modified xml and open the document.

The experts demonstrated that just tricking victims into opening the weaponized document and click on the embedded video is possible to infect their machines.

Ben-Yossef said, CTO at Cymulate, explained antimalware detection depends on the specific payload used in the attack and the evasion techniques it implements.

The technique works with Office 2016 and older versions, the researchers notified Microsoft but that the tech giant doesn’t acknowledge the technique as a security flaw.

Organizations can mitigate the attack by blocking any Word document containing embedded videos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – weaponized Microsoft Office documents, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]