MS Word Maybe Used for Cryptojacking Attacks

Cryptojacking JavaScript can be launched in Word documents – New Word features that appeared in its latest version made it possible – MS Word now allows adding video into the document by inserting an iFrame code. The file size does not increase as the video is played through a headless web browser opened in a popup window.

Amit Dori, a security researcher from Israel, who works with Votiro, was first to draw attention to this issue. Amit Dori says that cybercrooks may host a benign video on their servers and add a cryptojacking script to mine Monero or another cryptocurrency. Once the user clicks on the playback, browser launches and CoinHive or another popular miner may start earning crypto to the distant scammer.

This issue could be partially avoided if Word allowed to whitelist domains and play only YouTube or Vimeo videos. Some security researchers believe that such a scenario is extremely unlikely. Hidden web browser mining financially justifies itself only in case the user does not disconnect the player for a long time.

Now, most people prefer watching videos on YouTube, some download them. But who is going to watch or insert movies into MS Word? According to Amit Dori, crooks still may try to insert longer video or add several short videos with smooth transitions from one video clip to another.

Still, in order to make a profit, the scammer will have to convince thousands of users to open Word booby-trapped documents on daily basis.

For now, crooks find that the most effective way is to hack the video streaming services and to place crypto miners there. Visitors stay on such websites for a long time and do not notice high CPU and processor load while watching movies.

The most profitable in this respect are torrent websites and other resources with pirated content. Porn sites and game portals are also great for that.

MS Word Maybe Used for Cryptojacking Attacks
Gif shows how it is done

The vulnerability discovered by Amit Dori can be used not only for cryptojacking but for other purposes too. For example, nothing prevents intruders from embedding phishing scripts into the Word player. The Internet Explorer window makes it easy to extract information from unsuspecting users. For example, scammers may put a restriction on viewing for those who have not passed the authentication procedure and have not typed in their personal data.

The online video function is also available in other Microsoft Office products, for example, in PowerPoint and OneNote, however, it is more secure there since it allows access only to certain domains.

Amit Dori already notified Microsoft about the problem, but the corporation does not consider it a security issue. Therefore, experts recommend being vigilant when working with Word documents that contain video. You should always install fresh updates, including the Internet Explorer browser. When watching Word videos loaded from suspicious servers, users should use a VPN to encrypt their traffic and never type in their personal data.

The Microsoft Word application was previously used by scammers to spread malicious scripts. Not long ago security researchers discovered a campaign that exploited the OLE function of Microsoft products. Word macros are also popular among malware authors.

Image credit: DepositPhotos

David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.