Last month, researchers from a cybersecurity firm shared their findings on a bug in Microsoft Word online’s video feature that could allow for phishing attacks. At that time, researchers merely expressed their concerns regarding the possible exploitation of the vulnerability.
Hackers Have Been Exploiting The Vulnerability
Researchers from Trend Micro have found proof of active exploitation of a bug discovered last month. Allegedly, they found an in-the-wild sample of a malware supposedly delivered by hackers after exploiting the vulnerability in the Microsoft Word video feature. As stated in their report,
“We indeed identified an in-the-wild sample (detected by Trend Micro as TROJ_EXPLOIT.AOOCAI) in VirusTotal, using this method to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO).”
The report was shared by Trend Micro threat analysts, Michael Villanueva, and Toshiyuki Iwata. According to their findings, the attack supposedly involves the use of specially crafted Word documents that reach the target system through another vector. Since the malware transfers through embedded videos in a Word document, the malicious documents usually have a .docx file format. DOCX is an open XML document format.
The researchers have also shared the POC of exploit in the wild that seemingly works the same way as demonstrated initially by Cymulate. However, the malware execution looks even simpler.
“Unlike the PoC, however, the actual malware sample is simpler and could be more effective. It will directly access the malicious URL upon clicking the video frame. It would then load a malicious script that automatically downloads the final payload. Then prompts the user with the download manager to save or run the payload, which poses as a Flash Player update.”
The below gif by Trend Micro shows the exploit in the wild.
Still No CVE… No Patch Too!
When Cymulate discovered the glitch in the Word video feature, they reported it to Microsoft. However, Microsoft didn’t deem it important enough for a CVE. Researchers have also found the exploitation of this bug, no patches are yet available to protect users. Therefore, Trend Micro researchers recommend blocking such Word files that contain embeddedHTML tags.
“Users can defend against threats abusing this by blocking Word documents that has the embeddedHtml tag in their respective XML files or disabling documents with embedded video… Adopt best practices: be more cautious against unsolicited emails and update systems, applications, and networks to patch exploitable vulnerabilities. Employing security mechanisms that can provide additional layers of security to endpoints (such as URL filtering/categorization) can also help block malicious URLs and malware-hosting sites.”
Take your time to comment on this article.