Most employees have some awareness about malware attacks. Many probably know that you should never open an executable file from a stranger or install a thumb drive found in the parking lot, for example. But videos, or links to videos, can deliver malware just like that executable or thumb drive. Do your employees know this too? And even if they do know it, will they be tricked into chasing malicious videos anyway?
Here’s why it’s time to start focusing on video malware.
Video Is the Perfect Bait for Social Engineering
The lure of video might be the perfect social engineering trick for malware attacks. Recent trends in person-to-person communications and social media have conditioned the public to compulsively open many videos every day. Facebook and Instagram have been retrofitted with viral, addictive video features to keep up with upstarts such as Snapchat and TikTok. YouTube has always emphasized compelling videos, and messaging applications are increasingly carrying video as well.
In other words, video has emerged as the digital “drug” of choice when it comes to escapism, boredom relief and information delivery. As a bonus for cybercriminals, users may believe video files to be harmless, meaning even security-savvy users who would otherwise avoid clicking on suspicious links are likely to open and play videos.
The video habit (or addiction) in our culture has paved the way for video malware — malicious code embedded into video files. Video malware is part of a larger trend toward more effective stealth in the delivery of malware. It’s also the latest, and probably the most interesting, example of malicious steganography — the embedding of something secret inside some other medium. When the medium is an executable file, it’s called stegware.
Malware has been embedded in still-image file formats, such as JPG, PNG and BMP formats, for years. Now, it appears that video malware is having a moment.
The Latest From the Dangerous Video Front
Because of the irresistible appeal of videos, threat actors have been using the promise of video for many years. One common way to trick people into clicking on a malicious link is to ask, “Are you in this video?” The idea that an embarrassing video of yourself is publicly circulating can compel otherwise educated and rational people to open a video or click on a link, just to be sure. This tactic is common on major messaging platforms, where attackers can make it seem like the video or link was sent by a friend or colleague.
There are more sophisticated versions of this technique. For example, even back in 2014, malware called Trojan.FakeFlash.A. appeared to place a photo of a Facebook “friend” on victims’ Facebook feeds with text that implied clicking would launch a highly personal video of that friend, according to USA Today. The malware infected some 2 million systems worldwide.
Neither of these malware attacks involve actual videos — just the promise of videos to incentivize users into clicking on links or opening files. Other recent vulnerabilities and attacks have involved actual videos, as part of the ongoing evolution of video as a malware delivery method.
One recent example observed by Trend Micro involved embedding malware into a Word document containing a video. This is a relatively easy way to insert malware, because it could simply be added to an XML file in the Word folder. Then, the document could be modified so that when a victim opens it and clicks on the video, the malicious code is executed. In July, Symantec discovered another attack vector called media file jacking that enabled attackers to alter videos and images on both WhatsApp and Telegram — fortunately, not in a way that enabled code execution.
Yet another vulnerability discovered in Android offers a glimpse at what’s possible in the distribution of video malware. The vulnerability in Android versions 7–9 (Nougat, Oreo and Pie) could enable cybercriminals to execute code remotely via video-embedded malware. The video would have to be sent directly — for example, as an email attachment — because video services such as YouTube re-encode uploaded videos, thus modifying the malicious code and preventing it from working.
Google has since issued a security update that fixes the flaw, so those devices with the update are safe. Those without the patch (theoretically, more than 1 billion devices), however, are still at risk — especially since the fix unavoidably advertised the vulnerability to threat actors. While there has been no reported exploitation of the vulnerability, it suggests previously unexpected possibilities in the realm of video malware.
Following the trends — growing comfort with video, sophisticated techniques for stealth and increasing targeting of mobile devices — we can see the aggressive exploration of the possibilities around smuggling malware in videos. The time to get counter-steganographic is now.
How to Address the Threat of Video Malware Attacks
The scariest threats are the ones that nobody has heard of or is expecting. But recent events show that video malware is an intense area of interest for malware social engineering (and now also software engineering). Here are some steps to prepare your enterprise to expect the unexpected:
- Architect a unified defensive posture — i.e., break down those cybersecurity silos.
- Make an advanced unified endpoint management (UEM) solution the core of your defenses.
- Use threat intelligence to stay on top of recent steganographic attacks and vulnerabilities.
- Block Word documents containing embedded videos from entering corporate networks.
- As always, stay current on patches and updates for all systems and devices, especially mobile devices.
Your users love videos. And because of the compelling, visceral and viral nature of videos, they’re going to be opening them. Threat actors know this, and they’re always working on new ways to hide malicious code inside videos. Is your enterprise security team ready to fight back?