Under-Detected ODT Files Deliver Common Remote Access Trojans
Security researchers noticed multiple cybercriminal operations using OpenDocument Text (ODT) files to distribute malware that is typically blocked by antivirus engines. The campaigns target English and Arabic-speaking users.
ODT files are archives that can hold text, images, and objects, such as XML-based files that can be opened by Microsoft Office and similar, open-source software (LibreOffice, OpenOffice).
Two RATs and an info-stealer
Some antivirus engines treat ODT files as standard archives and do not open the document as a Microsoft Office file, allowing malware to be downloaded on the target host.
In one of the campaigns targeting Microsoft Office users, the cybercriminals embedded an OLE (Object Linking and Embedding) in ODT documents to download the well-known remote access trojans (RATs).
Researchers at Cisco Talos noticed that the OLE object launched an HTA (HTML executable) file that downloaded and RevengeRAT and the underground's favorite, njRAT, from top4top[.]net, a popular Arabic file-hosting platform.
In a second campaign the researchers found to be using a malicious ODT file, the final payload launched on the target machine is the infamous AZORult info stealer.
The process involves an OLE object that places an executable pretending to be for the Spotify music service. It contains a new binary as a resource that "is a new binary packed with a multitude of different packers such as Goliath, babelfor.NET and 9rays." At the end of the unpacking, AZORult remains.
Old software macros
The third campaign leveraging ODT files was aimed at OpenOffice and LibreOffice users, and it used "the equivalent of macros in Microsoft Office documents in the StarOffice Basic open-source software," the researchers say in a blog post today.
StarOffice's days are long gone, as the last released version is from 2008, but its code was open-sourced to create OpenOffice.org, whose successor is the Apache OpenOffice.
The researchers found that the malicious macro is used to retrieve and run "plink443.exe," which establishes sets up SSH communication. The purpose remains unclear because a local network IP is used for this and for downloading other executable.
This, along with noted attempts to download multiple Metasploit payloads, suggests that the threat actor wanted to move laterally inside the network.
Alternatively, Warren Mercer and Paul Rascagneres of Cisco Talos say that this may have been a test or a pentest framework in action. A final payload could not be found.
The two researchers believe that the use of less popular file formats such as ODT may increase the potential of specifically targeted attacks. Cybercriminals can check public records of organizations that switched to open-source Office suites and choose their targets from there.
Despite having discovered only three campaigns that leverage the file format, the possibility exists for more frequent use in the future due to some antivirus products' poor handling of this format, thus ensuring a lower detection rate.
Gloss