November 13, 2018

Threat Analysts Michael Villanueva and Toshiyuki Iwata of Trend Micro recently announced that they  have uncovered an ITW campaign leveraging the “Online Video” vulnerability we’ve discovered and published last February and which was featured on Bleeping Computer.

The campaign takes advantage of a Proof-Of-Concept that was released last October, which embedded a base64-encoded blob into the Online Video section, causing Internet Explorer to prompt its download manager.

Infection Vector

As Mentioned in Trend Micro’s publication, this attack revolves around a crafted Word document where an inner-tag has been altered. Once a user opens the document and clicks the video frame, a background Internet Explorer process will come to life, sending requests to a hardcoded URL.

Figure 1: Comparison of the PoC (left) and the in-the-wild sample’s (right) infection chains

The Proof-Of-Concept used the msSaveorOpenBlob method — which launches an application for a file or blob object — to decode a base64-encoded binary embedded within the video tag. It is also triggered by clicking the video frame. Once decoded, it will prompt the user with Internet Explorer Download Manager (showing the embedded binary filename) with a notification asking whether to run or manually save the executable.

How the campaign operates?

Unlike the PoC, however, the actual malware sample is simpler and could be more effective. It will directly access the malicious URL upon clicking the video frame. It would then load a script that automatically downloads the final payload. As shown in Figure 2, it then prompts the user with the download manager to save or run the payload, which poses as a Flash Player update.

Figure 2: How the in-the-wild sample works


How can users defend against this threat?

Votiro Lab were the first to discover and protect against this vulnerability, Votiro customers are the first to have been protected against these kinds of threats.

We advise all users to take extra caution when opening Word documents originating from the internet.
We invite you to try Votiro File Disarmer and see what seamless, simple and effective security solution looks and feels like.


Images Credit: Trend Micro

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy