In a case where a malicious actor may be throwing different
attack vectors against a wall to see which sticks and works best, Cisco Talos
has found one group using OpenDocument files to bypass a computer’s antivirus
protection.

Using Microsoft Office files as a launching point for an
attack is old hat, but now Cisco Talos believes attackers are trying out slightly
different formats that have a reputation for being overlooked by a computer’s
defenses. OpenDocument files (.odt) are associated with Apache OpenOffice and
LibreOffice.

“Whilst less people may avail of these pieces of software the actor may have a higher success rate due to low detections. The potential for specifically targeted attacks can also increase with the use of lesser used file formats,” wrote researchers Warren Mercer and Paul Rascagneres.

Using .odt files is not common, the report showed, but if
proven successful could lead to wider spread use in the future.

In two of the attacks studied, one against English language speakers and the other Arabic, the recipient was required to open the document. At this point the object linking and embedding (OLE) object, a Microsoft technology that allows embedding and linking to documents and other objects, deployed and executed an HTA file which in turn led to a RAT being downloaded. For the Arabic targets it was NJRAT, and RevengeRAT was used in the English campaign.

The final stage has the AZORult information stealer being
injected into the machine.