How to deliver malware using weaponized Microsoft Office docs embedding YouTube video

How to deliver malware using weaponized Microsoft Office docs embedding YouTube video
29.10.2019 securityaffairs Virus

Researchers at Cymulate security firm devised a new stealthy technique to deliver malware leveraging videos embedded into weaponized Microsoft Office Documents.
The technique could be used to execute JavaScript code when a user clicks on a weaponized YouTube video thumbnail embedded in a Weaponized Office document.

Experts pointed out that no message is displayed by Microsoft Office to request the victim’s consent.

“Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code. Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden html/javascript code that will be running in the background and could potentially lead to further code execution scenarios.” reads the analysis published by Cymulate.

“This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file”

The experts created a proof-of-concept attack using a YouTube video link embedded in weaponized Microsoft Office documents.

When a video is embedded in a Word document, an HTML script is created and it is executed by Internet Explorer when the thumbnail into the document is clicked.

The researchers found a way to modify that HTML script to point to malware instead of the real YouTube video.

A default XML file named ‘document.xml’ can be edited by an attacker, in particular, it is possible to modify the video configuration included in a parameter called ’embeddedHtml’ and an iFrame for the YouTube video, which can be replaced with attacker HTML.

In the attack scenario presented by the researchers, they included in their own HTML a Base64-encoded malware binary that opens the download manager for Internet Explorer, that in turn installs the malicious code.

The expected video will be displayed without raising suspicious, while the malware is silently installed on the victim’s machine. Expert shared a video PoC of the attack.

Below the workflow of the attack:

Create a Word Document.
Embed an online video: Insert -> online video and add any YouTube video.
Save the Word document with the embedded online video.
Unpack the Word document: Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:
Edit the document.xml file under word folder
Inside the .xml file, look for embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code. Replace the current iframe code with any html code / javascript to be rendered by Internet Explorer.
Save the changes in document.xml file, update the docx package with the modified xml and open the document.
The experts demonstrated that just tricking victims into opening the weaponized document and click on the embedded video is possible to infect their machines.

Ben-Yossef said, CTO at Cymulate, explained antimalware detection depends on the specific payload used in the attack and the evasion techniques it implements.

The technique works with Office 2016 and older versions, the researchers notified Microsoft but that the tech giant doesn’t acknowledge the technique as a security flaw.

David Phillips
@davidpphillips
· Oct 25, 2018
Replying to @CymulateLtd
Appreciate it's good publicity for you, but the usual process is that you give the vendor adequate time to fix the issue before you go public with it.

Cymulate
@CymulateLtd
Hi David, thank you for your note. We did follow the correct process, we notified Microsoft of this issue and provided all the information. Who then responded with an approval to publish. We hope you find this information relevant.

5:48 PM - Oct 25, 2018
1
See Cymulate's other Tweets
Twitter Ads info and privacy
Organizations can mitigate the attack by blocking any Word document containing embedded videos.