Hackers Abuse Critical Bug in Microsoft Office Online Video Feature To Deliver Malware

Hackers abuse Critical flaw in Microsoft word Online Video future that allows attackers to deliver malware into the victim’s system. The flaw affects Microsoft Word 2013 and later versions.

Security researchers from Trend Micro identified an in-the-wild sample that attackers use the method to deliver the Ursnif Malware variant.

Cymulate published a Proof-of-concept last October explaining the attack using youtube video link with a word document.

The published PoC uses msSaveorOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.

Online Video futureOnline Video future

With the malware sample, attackers made it look simple and effective, upon triggering the video frame it directly accesses the malicious URL and loads the malicious script and downloads the final payload.

Then it poses the payload as a flash player update and prompts the download manager to save or run the payload.

Online Video future

“A closer look into the in-the-wild sample reveals that it simply modifies the URL written under the src parameter, replacing it with a Pastebin URL that contains a script that loads and runs upon successful redirection. In turn, the script accesses another malicious URL to download and execute a version of the URSNIF malware,” reads the TrendMicro blog post.

The main goal of the URSNIF malware is to steal information including System information, List of installed applications, installed drivers, List of running processes, List of network devices, External IP address, Email credentials (IMAP, POP3, SMTP), Cookies, Certificates, Screen video captures (.AVI) and Financial information via webinjects.

Users can defend the attack by blocking word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents and to block word documents containing an embedded video.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

OpenCTI: Free Cyber Threat Intelligence Platform for Security Experts

OpenCTI (Open Cyber Threat Intelligence) stands out as a free, open source platform specifically designed…

27 minutes ago

LockBit Ransomware Group Breached: Internal Chats and Data Leaked Online

The notorious LockBit ransomware group, once considered one of the world’s most prolific cyber extortion…

3 hours ago

Cisco IOS XE Wireless Controllers Vulnerability Lets Attackers Seize Full Control

A critical security flaw has been discovered in Cisco IOS XE Wireless LAN Controllers (WLCs),…

3 hours ago

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

18 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

18 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

19 hours ago