Security researchers from Trend Micro identified an in-the-wild sample that attackers use the method to deliver the Ursnif Malware variant.
Cymulate published a Proof-of-concept last October explaining the attack using youtube video link with a word document.
The published PoC uses msSaveorOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.
With the malware sample, attackers made it look simple and effective, upon triggering the video frame it directly accesses the malicious URL and loads the malicious script and downloads the final payload.
Then it poses the payload as a flash player update and prompts the download manager to save or run the payload.
“A closer look into the in-the-wild sample reveals that it simply modifies the URL written under the src parameter, replacing it with a Pastebin URL that contains a script that loads and runs upon successful redirection. In turn, the script accesses another malicious URL to download and execute a version of the URSNIF malware,” reads the TrendMicro blog post.
The main goal of the URSNIF malware is to steal information including System information, List of installed applications, installed drivers, List of running processes, List of network devices, External IP address, Email credentials (IMAP, POP3, SMTP), Cookies, Certificates, Screen video captures (.AVI) and Financial information via webinjects.
Users can defend the attack by blocking word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents and to block word documents containing an embedded video.