Quote:Trend Micro threat analysts Michael Villanueva and Toshiyuki Iwata found a sample, identified as TROJ_EXPLOIT.AOOCAI, that was spreading the URSNIF information stealer. While the basic delivery system was the same between the PoC and the in-the-wild version, some improvements were noted in the latter malware.

The PoC used the msSaveorOpenBlob method to decode a base64-encoded binary embedded with a video tag, as well as, being triggered when the victim clicks the video frame. Once the malware is downloaded the target is prompted through IE’s download manager to run or save the executable.

The live sample eliminates the msSaveorOpenBlob step. Instead, once the video is clicked the malware directly accesses the malicious URL and downloads the final payload. The the IE download manager is replaced with a fake Flash Player update that encourages the victim to run or save. Overall, Trend Micro described the new method as a simpler and possibly more effective than the PoC.

Full Report: https://blog.trendmicro.com/trendlabs-security-intelligence/hide-and-script-inserted-malicious-urls-within-office-documents-embedded-videos/