by Michael Villanueva and Toshiyuki Iwata (Threats Analysts)
In late October, security researchers from Cymulate showed a proof of concept (PoC) exploiting a logic bug that could allow hackers to abuse the online video feature in Microsoft Office to deliver malware. We indeed identified an in-the-wild sample (detected by Trend Micro as TROJ_EXPLOIT.AOOCAI) in VirusTotal, using this method to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO).
What is the malware’s infection vector?
Since this kind of attack involves the use of a specially crafted Word document, we can assume that it can arrive on a user’s system through other malware or as an attachment or links/URLs in spam.
The flaw affects Microsoft Word 2013 and later versions. The PoC and malware employs the DOCX file type used in Microsoft Word, an eXtensible Markup Language-based (XML) file that can contain text, objects, styles, formatting, and images. They are stored as separate files and packed in a ZIP-compressed/archived DOCX file.
How does the PoC and in-the-wild malware work?
The PoC and the in-the-wild sample abuses a logical bug in Microsoft Office’s online video embedding feature that allows users to embed an online video from external sources such as YouTube and other similar media platforms.
The PoC was done by embedding online videos in the document then modifying the XML files within the document’s package. As demonstrated by Cymulate, it involves:
- Modifying the document’s file extension (DOCX to ZIP).
- Extracting the files within the document’s archive.
- Locating the tag (embeddedHtml) within the XML file where malicious scripts or URLs can be appended. Note that once the URL under the embeddedHtml parameter is modified, it automatically redirects the user to the specified URL after clicking anywhere on the video frame inside the document.
- Initializing and deploying the payload by modifying the script inside embeddedHtml.
A closer look into the in-the-wild sample reveals that it simply modifies the URL written under the src parameter, replacing it with a Pastebin URL that contains a script that loads and runs upon successful redirection. In turn, the script accesses another malicious URL to download and execute a version of the URSNIF malware.
How is the PoC different from the actual malware sample?
The PoC used the msSaveorOpenBlob method — which launches an application for a file or blob object — to decode a base64-encoded binary embedded within the video tag. It is also triggered by clicking the video frame. Once decoded, it will prompt the user with Internet Explorer Download Manager (showing the embedded binary filename) with a notification asking whether to run or manually save the executable (shown in Figure 3).
Unlike the PoC, however, the actual malware sample is simpler and could be more effective. It will directly access the malicious URL upon clicking the video frame. It would then load a malicious script that automatically downloads the final payload. As shown in Figure 4, it then prompts the user with the download manager to save or run the payload, which poses as a Flash Player update.
How can users defend against this threat?
Microsoft reportedly did not assign a CVE identifier for this as the online video embedding feature is working as intended/designed. Users can defend against threats abusing this by blocking Word documents that has the embeddedHtml tag in their respective XML files. Given how this seemingly new technique only needs to modify URLs, it could expose users and businesses to various malware and other threats. Adopt best practices: be more cautious against unsolicited emails and update systems, applications, and networks to patch exploitable vulnerabilities. Employing security mechanisms that can provide additional layers of security to endpoints (such as URL filtering/categorization) can also help block malicious URLs and malware-hosting sites.
Users and businesses can also consider adopting security solutions that can protect systems from various threats through a cross-generational blend of threat defense techniques. Trend Micro endpoint solutions such as the Smart Protection Suites and Worry-Free Business Security solutions can protect users and businesses from threats by detecting malicious files and messages as well as blocking all related malicious URLs. Trend Micro™ Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachments and URLs.
These solutions are powered by Trend Micro™ XGen™ security, which provides high-fidelity machine learning that secures the gateway and endpoint, and protects physical, virtual, and cloud workloads. With technologies that employ web/URL filtering, behavioral analysis, and custom sandboxing, XGen security offers protection against ever-changing threats that bypass traditional controls and exploit known and unknown vulnerabilities.
The YARA rule for detecting TROJ_EXPLOIT.AOOCAI is in this appendix.
Indicators of Compromise (IoCs):
Related hashes (SHA-256):
- 03634e2eab2f61ab1d7359c4038c7042f7eb294d9d5c855560468b8824702c47 — TROJ_EXPLOIT.AOOCAI
- d01b6f839b233ce9d6834a58d9d832ad824b73dd3dd1f399639fe5326faf783b — TSPY_URSNIF.OIBEAO
Related malicious URL:
Updated as of December 3, 2018, 9:40PM PDT to include the YARA rule in the appendix.
Updated as of March 18, 2019, 6:38PM PDT to update the mitigation/recommendation on disabling documents with embedded video.