How Hackers Abuse Microsoft Word for Crypto mining?

February 23, 2018 by Cameron Bishop

Crypto currency mining with JavaScript loaded through a browser has become a major concern for users who are not tech savvy.

Newer methods are being employed regularly by hackers to gain control over a user’s machine.

While injecting crypto currency mining programs through YouTube videos and advertisements are quite common, hackers are now exploiting the ‘online video’ feature provided by Microsoft Word.

How Microsoft Word is abused by hackers?

The ‘online video’ feature enables inserting a video into word document, without embedding a code. The facility is provided by Microsoft to keep the document size relatively small. According to the Israel-based cyber security firm Votiro, when a user attaches an online video, a webVideoPr element of type CT_WebVideoPr, which supports embedded HTML code is loaded in the document. As only basic security checks are being adopted, the loaded HTML code poses huge security risks.

In case of browser and YouTube video based crypto currency mining, the JavaScript will run only when a user keeps the corresponding video frame open. Internet Explorer is not updated frequently (compared to Chrome and FireFox) and is the prime target of hackers for hijacking the CPU of a user for crypto currency mining.

Now, hackers have taken it to the next level by gaining full control of the machines. A word document with a malicious code is delivered through spam and the interesting topic will lure the user to click the video by disabling the ‘protected view.’ Without the knowledge of the user, the IE frame would redirect the user to the exploit-kit (a malicious toolkit used to exploit security holes found in software applications for the purpose of spreading malware. If exploit succeeds, a malware program is downloaded to the victim’s computer and executed) gate, which would evaluate and infect the machine, if conditions are suitable for exploitation.

The process defeats Windows Defender Exploit Guard as the exploitation is done as a separate process. Therefore, the program can be installed even on an updated Windows 10 machine. The ‘online video’ feature is available in Power Point as well. However, Power Point does not allow injection of HTML code.

Avatar

Cameron works tirelessly behind the scenes ensuring his many US news stories are factual, informative and brought to you in a timely fashion before most other media outlets have them. He is an investigative journalist at heart who also has a fond interest in the money and business markets too.

Comments are closed.