As security researchers report, even cryptojacking is now possible using a Microsoft Word document. The latest version of Word allows the inclusion of code that can call web pages. Due to missing security precautions by Microsoft the cyber criminals are thereby opened to their projects.
Cybercriminals are constantly looking for new ways to maximize their revenues at the expense of third parties. If they can even misuse a frequently used program for their own purposes, that's a godsend for them. The latest version of MS Word allows the integration of code, which can, for example, independently open its own browser window or tab to call a given Internet address. Amit Dori from the security firm Votiro was the first to draw attention to this problem on his blog.
There are different scenarios for exploiting the gap. It is most likely that the recipient of the Word document will visit a prepared web page based on the code, through which a drive-by-Trojan will be inserted on his device. Depending on the functionality of the Trojan, the hacker will have full control over the hijacked PC. He can for example view all bank transfers, intercept usernames and passwords, drive DDoS attacks, save credit card details, send spam emails, and more. Of course, there would also be the possibility to dig a cryptocurrency on the acquired device like Monero. In the second scenario, the computer will not be taken over. The code only visits a website where, for example, CoinHive Monero is used. Until the visit to the website ends, this process continues. Since a particularly long stay leads to the maximum result, the viewing of a film on its own streaming website would offer. Amit Dori leads as a third possibility to direct users to deceptively real-looking websites of PayPal, Amazon, their house bank, the credit card company, where their usernames and passwords are to be tapped using phishing.
Countermeasures would be little effort for Microsoft
The effort that Microsoft would have to take as a countermeasure would be minimal. The programmers would have to integrate in Word only a so-called whitelist. This is a list of per default allowed websites like YouTube or Vimeo that can be accessed through word processing. If the URL to be called differs from the embedded code, Word would automatically block the visit automatically. But there are even more tricks: Anyone who wants to disguise his project as a hacker, could place the called website just below the visible window. Only if you closes the larger window or the complete browser, you would discover or leave the hidden website. This principle of hidden advertising windows is often used by less reputable online marketers.
Amit Dori has informed Microsoft about the dangers of the new "feature", but the manufacturer classifies the problem as harmless. Incidentally, the same code can also be included in presentations for PowerPoint or in Notepad OneNote. However, Microsoft has already taken the necessary precautions in these programs. Via the implemented code, only pages that are on the whitelist of Microsoft can be visited there, making their visit unproblematic.
How do the Word documents get to my PC?
Via spam mail, which gives the news a trustworthy impression. Or, as often happens with other malicious software, the hackers spread it via Usenet or via P2P networks on the Internet. There commercial documents are not uncommon. Alternatively, cybercriminals can add current Word documents to current movies, programs, or games. That would be particularly effective in the mass of downloads.
What can I do against it?
Most vendors' antivirus software is unlikely to work on such crafted documents. Nevertheless, it should be kept up to date to prevent infection by drive-by malware. The scouring of Monero on a website can be prevented by advertising blocker or other browser extensions. Simply search for the keywords "Anti Miner" or "Mining Blocker" in your browser addons and install those. All popular browsers have their own plug-ins that stop CoinHive from running.
Maybe this would be a great opportunity to think about a change. Free office packages like Apache OpenOffice or Libre Office do not allow you to run special code in your documents. If required, the documents can also be saved in Word format or as a PDF document with both Office packages. Last, but not least, for received files that have sent a friend via email, ask before opening if they have really sent them. Who knows if their PCs have not been taken over by another Trojan?