What Is It?

Trend Micro’s team posted a blog describing a weaponized version of the PoC being used to propagate Ursnif, an information stealing trojan. This is less than three weeks after the research team at Cymulate detailed a proof of concept (PoC) they had discovered in order to misuse the online video functionality of Microsoft Word.

Following the release of the PoC, Microsoft stated the product was working as designed. Currently, there is no warning box for the user when opening a Word document that contains this functionality, as users expect when opening a Microsoft Office file that contain macros.

It is very straightforward for attackers to utilize this functionality for malicious purposes. From within a Microsoft Word document, the attacker uses the “Insert Online Video” function to select a YouTube video and saves the document. Since Word docx files are similar to a zip file containing various files and directories containing the layout and content of the document, this creates a potential attack.

The attacker can simply unzip the Word document and the edit the document.xml file to alter the contents of the embeddedHtml parameter. That parameter can be changed to point to any HTML or JavaScript code the attacker wishes to have executed.

In the sample described by Trend Micro, a JavaScript file, hosted on pastebin, was embedded. This JavaScript is retrieved and executed simply by the user clicking within the video frame. The JavaScript downloads the Ursnif trojan which causes Windows’ Internet Explorer download manager to ask the user if they want to run or save the file. The malicious download masquerades as an Adobe Flash update. In order to convince the user, the JavaScript displays an image of a Flash Player update, which is hosted on the legitimate myantispyware.com site.

From a technical perspective, this is a relatively simple attack to perform, requiring only basic knowledge on the part of an attacker. Given that Microsoft Word displays no warnings about this potential threat, it is quite likely many users will become infected by the Ursnif trojan in these attacks, at least in the short term.

It is another example of the inherent security issues stemming from the perceived need to make content easier to access and include. Now this functionality has been weaponized, Microsoft may choose to add warning messages or checks to verify the embeddedHtml parameter is linking to actual video content in order to mitigate this as an attack vector.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. As the attack vector is a malicious document that needs to be opened by the user, this file would be attached or linked to a malicious spam email.

When/How Did BluVector Detect It?

The Trend blog entry includes reference to a sample of a weaponized Microsoft Word document and a sample of the Ursnif trojan. BluVector’s patented Machine Learning Engine (MLE) detected both as malicious. Regression testing has shown the Word document would have been detected 16 months prior to its release and the discovery of the PoC in October 2018, with the Ursnif trojan sample being detected 57 months prior to its release.