Security researchers from the Cisco Talos team discovered several malicious campaigns that use OpenDocument Text (ODT) files to spread malware that is usually blocked by antivirus solutions. It turned out that criminals distribute Trojans through ODT files.
The attacks target English-speaking and Arabic-speaking users.ODT files are archives that can store text, images, and XML files used by Microsoft Office and similar software (LibreOffice, Apache OpenOffice).
“By attacking known platforms, attackers increase their chances of gaining access to machines. And the use of the ODT file format shows that actors are happy to try out different mechanisms of infection, perhaps in an attempt to see if they are these documents have a higher rate of infection or are better at avoiding detection”, — report Cisco Talos specialists.
Some antivirus programs perceive ODT files as standard archives and do not open a document, as is the case with Microsoft Office files. This allows criminals to download malware into the target system.
“Some AV engines and sandboxes do not handle these file formats with the appropriate method so they become “missed” in some instances. Whilst less people may avail of these pieces of software the actor may have a higher success rate due to low detections. The potential for specifically targeted attacks can also increase with the use of lesser used file formats”, — note Cisco Talos reseachers.
In one of the malicious campaigns targeting Microsoft Office users, cybercriminals embedded OLE objects (technology for linking and embedding objects) in ODT documents. OLE objects launched HTA files downloading RevengeRAT and njRAT remote access trojans (RATs) from the popular Arabic file hosting service (top4top[.]Net).
In the second campaign, criminals used ODT files to download AZORult data theft software. The infection process involves an OLE object that downloads an executable file disguised as Spotify (Spotify.exe). It is a binary file packed with utilities such as Goliath, babelfor.NET, and 9rays. After unpacking the file, the system is infected with the AZORult Trojan.
In the third campaign, hackers attacked users of OpenOffice and LibreOffice.
Cybercriminals used the “macro equivalent in Microsoft Office documents implemented in the open source software StarOffice Basic.”
StarOffice is outdated software, the latest version of which was released in 2008. However, based on its code, the OpenOffice.org program was created, the successor of which is Apache OpenOffice.
Read also: Smominru botnet infected 90 thousand devices in just the last month
According to the researchers, a malicious macro is used to extract and run “plink443.exe”, which establishes an SSH connection. It is currently unclear why attackers set up the SSH channel because the attack uses the IP address of the local network.
Additionally, the researchers were unable to find out exactly which malware is being downloaded to the system in this case.
How to protect yourself from such an invasion?
Intrusion prevention systems provide an effective tool to detect this activity due to specific signatures present at the end of each command. In addition to intrusion prevention systems, it is advisable to employ endpoint detection and response tools (EDR).