[ Nov 13, 2018 ]
Hackers abuse Critical flaw in Microsoft word Online Video future that allows attackers to deliver malware into the victim’s system. The flaw affects Microsoft Word 2013 and later versions.
Security researchers from Trend Micro identified an in-the-wild sample that attackers use the method to deliver the Ursnif Malware variant.
Cymulate published a Proof-of-concept last October explaining the attack using youtube video link with a word document.
The published PoC uses msSaveorOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.
The main goal of the URSNIF malware is to steal information including System information, List of installed applications, installed drivers, List of running processes, List of network devices, External IP address, Email credentials (IMAP, POP3, SMTP), Cookies, Certificates, Screen video captures (.AVI) and Financial information via webinjects.
Cyber Security Tips:
- Users can defend the attack by blocking word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents and to block word documents containing an embedded video.