Security researchers at HP Wolf Security have successfully isolated a malware campaign that used OpenDocument text files for distribution. This particular campaign was part of a larger campaign that targeted the hospitality industry in several South American countries, including Brazil, Argentina, Chile, Peru, Colombia and Costa Rica.
What makes this particular malware campaign interesting is the use of OpenDocument text files in the attack. All major office applications, including Microsoft Office, LibreOffice, and Apache OpenOffice, support the format, making it an ideal format for conducting attacks.
Since it is less commonly used in malware attacks, it is a file format that computer users may be less suspicious of. Emails containing attachments of Office documents, PDF documents or even executable files are commonly used and users may be more aware of the potential danger of these documents.
Threat actors referenced remotely hosted objects in the document but did not include any macros; this was done to evade detection, as antivirus engines may flag documents that use macros.
Researchers discovered the malware campaign in late June and noticed that the malicious OpenDocument documents were not detected by any of VirusTotal’s antivirus engines during the first week of July.
Fake booking request emails
The attackers used fake reservation requests in emails to get the attention of hotel employees. Malicious OpenDocument files were attached to emails and designed to look like legitimate requests. In an email, the title of the document suggested it was a booking request.
The document opened in the Office program set as the default file manager for the Office format when clicked. When loading the document, an error message was displayed prompting the user to act. It displayed an encrypted message — This document contains fields that may refer to other files. Do you want to update the fields of this document? — with yes and no options.
Selecting “yes” opened an Excel spreadsheet on the system. The Excel spreadsheet included a macro. Most Office programs prevent macros from running by default, but give users options to enable the macro.
Another prompt was then displayed in the spreadsheet application, for example Microsoft Excel, which prompted the user to enable macros. Selecting “enable macros” started the infection chain, which led to the computer being infected with the AsyncRAT payload.
Microsoft plans to block macros in Office documents from the Internet by default in the future and remove the “enable” prompt for these documents. Although users can still enable macros for specific documents, this requires more work and should prevent accidental running of documents with macros for the majority of users in the future.
The chain of infections
OpenDocument files are not often used in malware campaigns. The document used in the campaign did not contain any macros, hidden or not, during its analysis. HP security researchers discovered that the document referred to remotely hosted Object Linking and Embedding (OLE) objects. One of the documents analyzed referred to 20 remotely hosted objects.
The referenced objects were downloaded from the referenced remote location when the user selected the “yes” option after opening the document attached to the email. The downloads included Excel spreadsheets, which included macros. The user was then prompted by the Office application to either enable macros or keep them disabled.
The macro that is part of the Excel documents uses the Windows mshta.exe tool to download and run code from the Internet. Things start to pick up speed from there, as a “complex chain of PowerShell, VBScript, and batch scripts” was run. In the end, the AsyncRAT open source remote access Trojan was decoded and executed.
The malware creates a scheduled task in an attempt to make the infection persistent. The task is designed to launch the malware every two hours.
Attackers are always looking for stealth ways to deliver malware that evades endpoint security. This campaign illustrates how OpenDocument text files can be misused to deliver malware via external OLE references with extremely low detection rates.
Like most malware campaigns, this campaign requires victims to become active. The victim must open the included attached file and respond to two different prompts before the actual malware is downloaded and executed on the system. Canceling or declining any of the prompts would stop the attack before it really started.
It’s surprising that emails from outside the organization containing documents with attachments are still a viable attack vector after all these years.
The use of OpenDocument file formats serves several purposes. Employees can be trained to look for certain file formats in email attachments, but probably not .odt files or other OpenDocument files. The file itself does not contain macros, which anti-virus engines may notice and automatically block or warn users about.
The fact that no antivirus engine detected the OpenDocument file used in the campaign as malicious for more than a week confirms that the evasive method worked. HP security researchers discovered a second campaign in July that used a Microsoft Word document instead of an OpenDocument file as an attachment. Nearly half of all antivirus engines on VirusTotal flagged the Microsoft Word document.
Organizations can improve their defenses in several ways. In addition to employee training and awareness, which only goes so far, there are new defensive options that could be put in place to reduce the risk of infection. Running attachments in virtual environments could be a viable option, as it prevents infection of the underlying system if the executed document is malicious.
Home users can use virtual machines or sandboxing to launch suspicious attachments and files without running the risk of infecting the underlying operating system. A program like the free Sandboxie Plus can be used to run files in a sandboxed environment. Using virtual machines requires additional steps, such as launching the virtual machine when needed, but provides similar protections.
Now you: Do you open attachments in emails?