Microsoft Word Used by Hackers to Display Cryptomining Videos
Smart PlanetHackers have been exploiting a Microsoft Word feature to deliver cryptojacking scripts on victims’ computers and secretly mine cryptocurrency.
According to security researchers at Israel-based Votiro, attackers abuse Microsoft Word’s Online Video feature that allows users to insert remote videos directly into documents without having to embed them or provide a link to a third-party service.
Due to insufficient sanitisation, threat actors can exploit this new feature to insert cryptojacking scripts that secretly exhaust their viewers’ computer processing power in order to mine Monero coins in the background while the video plays.
“One of the recent concerns in the Internet realm is the threat of cryptocurrency mining via the browser. As these attacks are usually JavaScript based, they are easy and quick to implement,” Votiro researcher Amit Dori published in a blog post on Tuesday (20 February).
He notes that the feature makes Word software vulnerable to browser-based cryptojacking, especially when using Internet Explorer, whose frame “fits perfectly for this scenario, as users can be tricked into watching an ‘innocent’ video while, in the background, their CPU is being exhausted”.
Hackers can also adjust the video to ensure that the victim is tempted to watch the entire clip while their computer’s resources are thoroughly drained during the time the screen remains open. In addition to the length of the videos, they also use a prolonged “Loading…” animation to maximize efficiency as well.
In one scenario demonstrated by Votiro, a rather simple 12-minute video on cryptocurrency was able to hijack 99% of the victim’s CPU for cryptomining.
“By infecting the machine with a cryptocurrency-miner, the attacker gets his own remote money-maker machine to be used at his free will,” says Dori. “Furthermore, owning the machine, makes it suitable for a variety of other shady actions.”
To infect a computer with the cryptominer, the malicious documents deliver the scripts either via macros or by exploiting a vulnerability.
Dori notes that Word’s Online Video feature could also be used to silently redirect users to exploit gates and web pages, and for extracting sensitive user data through phishing schemes.
The popular Microsoft Word used by most individuals and organisations worldwide, often has various vulnerabilities, making it an ideal platform for hackers to exploit. While Internet Explorer is not as frequently used as Google Chrome or Mozilla Firefox, it is updated less often and is known for having multiple security issues ranging from browser-based to plugin-based vulnerabilities.
Exploit kits may also be employed by threat actors to secretly install a Trojan and other malicious software onto a victim’s computer.
Votiro said it privately disclosed the issue with Microsoft Security Response Centre. However, the MSRC reportedly did not consider their findings enough to constitute a security issue.
“This technique relies on social engineering to convince a user to open a malicious document and disable Protected View,” a Microsoft spokesperson told SC Media in a statement. “We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.”
The spokesperson reportedly pointed to a Microsoft web page featuring resources and research about online safety.
But this isn’t the first case of cryptojacking. Just last month, hackers made use of YouTube ads to hijack victims’ computers and mine cryptocurrency using the publicly available Coinhive JavaScript code. Threat actors have also been using popular Chrome extensions, thousands of high-traffic websites including government sites and porn websites, issuing “giveaway offers” on Twitter and cyberheists to earn cryptocurrencies.
The security firm’s findings come at a time when cybercriminals continue to develop new means through which they can exploit victims and earn cryptocurrency.