August 19, 2019 By Mike Elgan 4 min read

Most employees have some awareness about malware attacks. Many probably know that you should never open an executable file from a stranger or install a thumb drive found in the parking lot, for example. But videos, or links to videos, can deliver malware just like that executable or thumb drive. Do your employees know this too? And even if they do know it, will they be tricked into chasing malicious videos anyway?

Here’s why it’s time to start focusing on video malware.

Video Is the Perfect Bait for Social Engineering

The lure of video might be the perfect social engineering trick for malware attacks. Recent trends in person-to-person communications and social media have conditioned the public to compulsively open many videos every day. Facebook and Instagram have been retrofitted with viral, addictive video features to keep up with upstarts such as Snapchat and TikTok. YouTube has always emphasized compelling videos, and messaging applications are increasingly carrying video as well.

In other words, video has emerged as the digital “drug” of choice when it comes to escapism, boredom relief and information delivery. As a bonus for cybercriminals, users may believe video files to be harmless, meaning even security-savvy users who would otherwise avoid clicking on suspicious links are likely to open and play videos.

The video habit (or addiction) in our culture has paved the way for video malware — malicious code embedded into video files. Video malware is part of a larger trend toward more effective stealth in the delivery of malware. It’s also the latest, and probably the most interesting, example of malicious steganography — the embedding of something secret inside some other medium. When the medium is an executable file, it’s called stegware.

Malware has been embedded in still-image file formats, such as JPG, PNG and BMP formats, for years. Now, it appears that video malware is having a moment.

The Latest From the Dangerous Video Front

Because of the irresistible appeal of videos, threat actors have been using the promise of video for many years. One common way to trick people into clicking on a malicious link is to ask, “Are you in this video?” The idea that an embarrassing video of yourself is publicly circulating can compel otherwise educated and rational people to open a video or click on a link, just to be sure. This tactic is common on major messaging platforms, where attackers can make it seem like the video or link was sent by a friend or colleague.

There are more sophisticated versions of this technique. For example, even back in 2014, malware called Trojan.FakeFlash.A. appeared to place a photo of a Facebook “friend” on victims’ Facebook feeds with text that implied clicking would launch a highly personal video of that friend, according to USA Today. The malware infected some 2 million systems worldwide.

Neither of these malware attacks involve actual videos — just the promise of videos to incentivize users into clicking on links or opening files. Other recent vulnerabilities and attacks have involved actual videos, as part of the ongoing evolution of video as a malware delivery method.

One recent example observed by Trend Micro involved embedding malware into a Word document containing a video. This is a relatively easy way to insert malware, because it could simply be added to an XML file in the Word folder. Then, the document could be modified so that when a victim opens it and clicks on the video, the malicious code is executed. In July, Symantec discovered another attack vector called media file jacking that enabled attackers to alter videos and images on both WhatsApp and Telegram — fortunately, not in a way that enabled code execution.

Yet another vulnerability discovered in Android offers a glimpse at what’s possible in the distribution of video malware. The vulnerability in Android versions 7–9 (Nougat, Oreo and Pie) could enable cybercriminals to execute code remotely via video-embedded malware. The video would have to be sent directly — for example, as an email attachment — because video services such as YouTube re-encode uploaded videos, thus modifying the malicious code and preventing it from working.

Google has since issued a security update that fixes the flaw, so those devices with the update are safe. Those without the patch (theoretically, more than 1 billion devices), however, are still at risk — especially since the fix unavoidably advertised the vulnerability to threat actors. While there has been no reported exploitation of the vulnerability, it suggests previously unexpected possibilities in the realm of video malware.

Following the trends — growing comfort with video, sophisticated techniques for stealth and increasing targeting of mobile devices — we can see the aggressive exploration of the possibilities around smuggling malware in videos. The time to get counter-steganographic is now.

How to Address the Threat of Video Malware Attacks

The scariest threats are the ones that nobody has heard of or is expecting. But recent events show that video malware is an intense area of interest for malware social engineering (and now also software engineering). Here are some steps to prepare your enterprise to expect the unexpected:

  • Architect a unified defensive posture — i.e., break down those cybersecurity silos.
  • Make an advanced unified endpoint management (UEM) solution the core of your defenses.
  • Use threat intelligence to stay on top of recent steganographic attacks and vulnerabilities.
  • Block Word documents containing embedded videos from entering corporate networks.
  • As always, stay current on patches and updates for all systems and devices, especially mobile devices.

Your users love videos. And because of the compelling, visceral and viral nature of videos, they’re going to be opening them. Threat actors know this, and they’re always working on new ways to hide malicious code inside videos. Is your enterprise security team ready to fight back?

More from Endpoint

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today