Cryptojacking Scripts Can Work In Word Documents

Security researchers have discovered cryptojacking scripts, which use resources from a victim’s machine to mine for cryptocurrency, can be run inside Microsoft Word files, opening up new possibilities for attacks.

The potential attack, first highlighted by Israeli security firm Votiro, is made possible thanks to a feature in newer versions of Microsoft Word that allow users to embed videos from the internet inside documents without needing to upload the video itself.

The feature was introduced for the sake of convenience; a user can insert a link to a video in a Word document and a video player will appear, allowing the viewer to watch the video without ever leaving the document itself.

While the feature may be useful for legitimate purposes, malicious actors have also found a way to manipulate the Word video player to run cryptocurrency scripts that will mine for cryptocurrency like Monero without the victim’s knowledge or permission.

The attack is made possible because Word doesn’t restrict where the video embed codes come from. There is no whitelist set to ensure the code comes from a legitimate source, so attackers can abuse that lack of protection to embed code from malicious sources. The attack is also enabled by the fact the video player is word actually an Internet Explorer browser window.

To take advantage of the exploitable security holes, an attacker would simply have to host a video on a domain they own and load the script for an in-browser cryptocurrency miner alongside the video. When a user opens a Word file with the video and hit the play button, the cryptominer goes to work, using the victim’s machine to mine for cryptocurrency.

The script on the web page uses the processing power of the victim’s machine—be it their CPU or graphics processing unit (GPU—to generate the cryptocurrency. The task of mining for cryptocurrency involves solving complicated mathematical problems in order to confirm and process transactions, which in turn releases additional currency to those who helped solve the compute-intensive equations.

In this particular attack, the threat actor would use the victim’s machine to mine for Monero, an increasingly popular cryptocurrency that has been touted because of its totally anonymous transactions. It has become a favorite of the privacy minded and of criminals executing cryptojacking scams.

While the attack is possible, it also wouldn’t be particularly profitable. The security researchers said it was unlikely that attacks carried out through Word documents would generate a considerable amount of revenue for attackers. It would be more effective to host a cryptomining script on a website and mine whenever a person visits the site.

Instances of cryptojacking have cropped up on a number of popular and well-trafficked websites. Politifact.com, a Pulitzer Prize-winning fact-checking website, hosted a cryptojacking script without the knowledge of the site operators, as did a number of government-operated websites in the United States and United Kingdom.

Websites for television network Showtime and popular torrent site the Pirate Bay also had cryptomining code installed , but done so intentionally despite not informing its users. In those instances, the site operators profited directly off their visitors without their knowledge.