OpenDocument textual content information (.odt) malware marketing campaign found

Safety researchers at HP Wolf Safety managed to isolate a malware marketing campaign that used OpenDocument textual content information for distribution. This explicit marketing campaign was half of a bigger one which was focusing on the lodge business in a number of South American nations that included Brazil, Argentina, Chile, Peru, Columbia and Costa Rica.

picture credit score: HP Menace Analysis

What makes this explicit malware marketing campaign attention-grabbing is using OpenDocument textual content information within the assault. All main workplace functions, together with Microsoft Workplace, LibreOffice and Apache OpenOffice, assist the format, which makes it an excellent format to hold out assaults.

Since it’s much less generally utilized in malware assaults, it’s a file format that laptop customers could also be much less suspicious about. Emails with Workplace doc attachments, PDF paperwork and even executable information are generally used and customers could also be extra conscious of the potential hazard of those paperwork.

The risk actors referenced remotely hosted objects within the doc however didn’t embrace any macros; this was performed to evade detection, as antivirus engines might flag paperwork that make use of macros.

The researchers found the malware marketing campaign in late June and observed that the malicious OpenDocument paperwork weren’t picked up by any of VirusTotal’s antivirus engines within the first week of July.

Faux Reserving Request emails

The attackers used faux reserving requests in emails to get the eye of lodge workers. The malicious OpenDocument information had been connected to the emails and designed to seem like reputable requests. In a single electronic mail, the doc’s title urged that it was a reserving request.

The doc opened within the Workplace program that was set because the default file handler for the Workplace format when the consumer clicked on it. When the doc was loaded, an error message was displayed that prompted the consumer for motion. It displayed a cryptic message — This doc incorporates fields which will consult with different information. Do you wish to replace the fields on this doc? — with sure and no choices.

See also  New malware assault shops payloads within the Home windows occasion log

Deciding on “sure” opened an Excel spreadsheet on the system. The Excel spreadsheet included a macro. Most Workplace packages forestall the execution of macros by default, however give customers choices to allow the macro.

One other immediate was then proven within the spreadsheet software, as an illustration Microsoft Excel, that prompted the consumer to allow macros. The choice of “allow macros” triggered the an infection chain, which led to the an infection of the pc with the AsyncRAT payload.

Microsoft plans to dam macros in Workplace paperwork that come from the Web by default sooner or later and take away the “allow” immediate for these paperwork. Whereas customers should still allow macros for particular paperwork, doing so requires extra work and will forestall unintended execution of paperwork with macros for almost all of customers sooner or later.

The an infection chain

enable macros malware campaign
picture credit score: HP Menace Analysis

OpenDocument information usually are not used typically in malware campaigns. The doc that was used within the marketing campaign didn’t embrace any macros, hidden or not, when it was analyzed. HP safety researchers found that the doc was referencing Object Linking and Embedding (OLE) objects that had been hosted remotely. One of many analyzed paperwork referenced 20 remotely hosted objects.

The referenced objects had been downloaded from the referenced distant location when the consumer chosen the “sure” possibility after opening the documented that was connected to the e-mail. Downloads included Excel spreadsheets, which included macros. The consumer was then prompted by the Workplace software to allow macros or hold them disabled.

See also  Workplace Phishing Assault circumvents multi-factor authentication

The macro that’s a part of the Excel paperwork makes use of the mshta.exe software of Home windows to obtain and execute code from the Web. Issues begin to speed up from there as a “advanced chain of PowerShell, VBScript and batch scripts” was executed. Ultimately, the open supply distant entry trojan AsyncRAT was decoded and executed.

The malware creates a scheduled process in an try to make the an infection persistent. The duty is designed to launch the malware in two hour intervals.


Attackers are at all times attempting to find stealthy methods of delivering malware that evades endpoint safety. This marketing campaign illustrates how OpenDocument textual content information will be abused to ship malware by way of exterior OLE references with extraordinarily low detection charges.

Like most malware campaigns, this marketing campaign requires that victims turn out to be lively. The sufferer has to open the included file attachment and reply to 2 totally different prompts earlier than the precise malware is downloaded and executed on the system. Canceling or denying any of the prompts would cease the assault earlier than it actually begins.

It comes as a shock that emails from outdoors the group that include paperwork with attachments are nonetheless a viable assault vector in any case these years.

The usage of OpenDocument file codecs serves a number of functions. Staff could also be skilled to look out for sure file codecs in electronic mail attachments, however possible not .odt information or different OpenDocument information. The file itself incorporates no macros, which antivirus engines might discover and block mechanically or warn customers about.

See also  Microsoft shows adverts to some Workplace 2021 customers

The truth that no antivirus engine detected the OpenDocument file used within the marketing campaign as malicious for over per week confirms that the evasive methodology labored. HP safety researchers discovered a second marketing campaign in July that used a Microsoft Phrase doc as a substitute of an OpenDocument file as the e-mail attachment. Almost half of all antivirus engines on VirusTotal flagged the Microsoft Phrase doc.

Organizations might enhance their defenses in a number of methods. In addition to coaching workers and elevating consciousness, which solely goes that far, it’s new defensive choices that might be carried out to scale back the chance of an infection. The execution of attachments in digital environments might be a viable possibility, because it prevents the an infection of the underlying system if the executed doc is malicious.

House customers might use digital machines or sandboxing to launch file attachments and suspicious information with out working the chance of infecting the underlying working system. A program just like the free Sandboxie Plus could also be used to execute information in a sandboxed setting. Use of digital machines requires further steps, equivalent to launching the digital machine when it’s wanted, however present comparable protections.

Now You: do you open file attachments in emails?