Hackers have been found exploiting Microsoft Word documents to deliver cryptojacking scripts to hijack victims' computers and secretly mine cryptocurrency. Security researchers at Israel-based Votiro said the attack abuses Microsoft Word's Online Video feature that allows users to insert remote videos directly into documents without having to embed them or provide a link to a third-party service.
Due to insufficient sanitisation, threat actors have been using this new feature to insert cryptojacking scripts that silently exhaust a victim's CPU and mine Monero coins in the background while the video plays.
He notes that the Internet Explorer frame "fits perfectly for this scenario, as users can be tricked into watching an 'innocent' video while, in the background, their CPU is being exhausted".
Hackers can also "tailor" the video for the victim to make sure they are tempted to watch the entire clip while their computer's resources are thoroughly drained as long as the screen remains open. They can also combine the lengthy videos with an extra-long "Loading..." animation to maximise efficiency as well.
In one scenario demonstrated by Votiro, a deceptively simple 12-minute video on cryptocurrency was able to hijack 99% of the victim's CPU for cryptomining.
"By infecting the machine with a cryptocurrency-miner, the attacker gets his own remote money-maker machine to be used at his free will," Dori notes. "Furthermore, owning the machine, makes it suitable for a variety of other shady actions."
To infect a machine with the cryptominer, Dori says the malicious documents could deliver the scripts via macros or by exploiting a vulnerability.
Dori notes that Word's Online Video feature could also be exploited by threat actors to display dubious web pages and in phishing schemes to extract sensitive user data.
The popular Microsoft Word used by most people and organisations across the globe, which is often found with varying vulnerabilities, presents an ideal platform for hackers to exploit. While Internet Explorer is not as widely used as Google Chrome or Mozilla Firefox, Dori notes that it is updated less often and is known for its multiple vulnerabilities ranging from browser-based to plugin-based flaws.
Exploit kits may also be leveraged by threat actors to covertly install a Trojan and other malicious software onto a victim's computer.
Votiro said it privately notified the Microsoft Security Response Center about their findings. However, the MSRC reportedly did not consider their research enough to constitute a security issue.
"This technique relies on social engineering to convince a user to open a malicious document and disable Protected View," a Microsoft spokesperson told SC Media in a statement. "We encourage our customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers."
The spokesperson reportedly pointed to a Microsoft web page featuring resources and research about online safety.
The security firm's findings come as cybercriminals continue to develop new, clever ways to exploit victims and earn cryptocurrency often by exploiting popular platforms in cryptojacking and malware attacks.