Attackers have a new obfuscation technique that uses the OpenDocument file format for sneaking payloads past antivirus software.
Past macro-based attacks have relied on malware hitching a ride with .docx, .zip, .jar and many other file formats. But researchers at Cisco Talos said that because these attempts are nearly certain to be red flagged by endpoint protection, hackers are turning to the OpenDocument (ODT) format to avoid detection.
“The use of the ODT file format shows that actors are happy to try out different mechanisms of infection, perhaps in an attempt to see if… these documents have a higher rate of infection or are better at avoiding detection,” wrote Cisco Talos researchers Warren Mercer and Paul Rascagneres on Monday.
They said some AV engines and system sandboxes do not handle these ODT file formats with the appropriate method so they become “missed” in some instances.
“There have recently been multiple malware campaigns using this file type that are able to avoid antivirus detection, due to the fact that these engines view ODT files as standard archives and don’t apply the same rules it normally would for an Office document,” they wrote.
Mercer and Rascagneres said because of this, “an attacker can use ODT files to deliver malware that would normally get blocked by traditional antivirus software.”
In the documented cases where ODT files were used successfully in attacks the majority of the incidents involved Microsoft Office, while OpenOffice and LibreOffice were targeted to a lesser degree.
Example Cases
In one example highlighted by Cisco Talos, attackers used a malicious ODT file with an embedded Object Linking and Embedding (OLE) file. OLE files are used to embed or link documents together for sharing data across applications. Next, the ODT used the embedded OLE to trigger the HTML Application script (HTA) into action. The HTA script downloaded the remote administrative tool (RAT) called NJRAT.
The attack scenario did involve the recipient of the malicious email to double-click the attachment and grant the document permission to run, while alerting the user the “file type can be unsafe.”
Researchers also shared a second case study where the OLE object was similarly packed inside an ODT file and delivered malware. Like the previous example, user interaction is required.
“The OLE execution writes ‘Spotify.exe’ to the victim machine, which is clearly not the legitimate Spotify platform executable. This .NET binary deflates a new binary stored as a resource. The new PE is a new binary packed with a multitude of different packers such as Goliath, babelfor.NET and 9rays,” said researchers.
Once unpacked the final payload was the information stealer malware AZORult.
To a lesser extent OpenOffice and LibreOffice were also targeted. “In this case, the attackers used the equivalent of macros in Microsoft Office documents in the StarOffice Basic open-source software. StarOffice Basic’s code is located in the Basic/Standard/ repository inside the ODT archive,” researchers wrote.
In that case, researchers said the ODT document ultimately appeared to be designed to download Metasploit payloads.
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
