In a case where a malicious actor may be throwing different attack vectors against a wall to see which sticks and works best, Cisco Talos has found one group using OpenDocument files to bypass a computer’s antivirus protection.
Using Microsoft Office files as a launching point for an attack is old hat, but now Cisco Talos believes attackers are trying out slightly different formats that have a reputation for being overlooked by a computer’s defenses. OpenDocument files (.odt) are associated with Apache OpenOffice and LibreOffice.
“Whilst less people may avail of these pieces of software the actor may have a higher success rate due to low detections. The potential for specifically targeted attacks can also increase with the use of lesser used file formats,” wrote researchers Warren Mercer and Paul Rascagneres.
Using .odt files is not common, the report showed, but if proven successful could lead to wider spread use in the future.
In two of the attacks studied, one against English language speakers and the other Arabic, the recipient was required to open the document. At this point the object linking and embedding (OLE) object, a Microsoft technology that allows embedding and linking to documents and other objects, deployed and executed an HTA file which in turn led to a RAT being downloaded. For the Arabic targets it was NJRAT, and RevengeRAT was used in the English campaign.
The final stage has the AZORult information stealer being injected into the machine.