OpenDocument text files (.odt) malware campaign discovered
Security researchers at HP Wolf Security managed to isolate a malware campaign that used OpenDocument text files for distribution. This particular campaign was part of a larger one that was targeting the hotel industry in several South American countries that included Brazil, Argentina, Chile, Peru, Columbia and Costa Rica.
What makes this particular malware campaign interesting is the use of OpenDocument text files in the attack. All major office applications, including Microsoft Office, LibreOffice and Apache OpenOffice, support the format, which makes it an ideal format to carry out attacks.
Since it is less commonly used in malware attacks, it is a file format that computer users may be less suspicious about. Emails with Office document attachments, PDF documents or even executable files are commonly used and users may be more aware of the potential danger of these documents.
The threat actors referenced remotely hosted objects in the document but did not include any macros; this was done to evade detection, as antivirus engines may flag documents that make use of macros.
The researchers discovered the malware campaign in late June and noticed that the malicious OpenDocument documents were not picked up by any of VirusTotal's antivirus engines in the first week of July.
Fake Booking Request emails
The attackers used fake booking requests in emails to get the attention of hotel employees. The malicious OpenDocument files were attached to the emails and designed to look like legitimate requests. In one email, the document's title suggested that it was a booking request.
The document opened in the Office program that was set as the default file handler for the Office format when the user clicked on it. When the document was loaded, an error message was displayed that prompted the user for action. It displayed a cryptic message -- This document contains fields that may refer to other files. Do you want to update the fields in this document? -- with yes and no options.
Selecting "yes" opened an Excel spreadsheet on the system. The Excel spreadsheet included a macro. Most Office programs prevent the execution of macros by default, but give users options to enable the macro.
Another prompt was then shown in the spreadsheet application, for instance Microsoft Excel, that prompted the user to enable macros. The selection of "enable macros" triggered the infection chain, which led to the infection of the computer with the AsyncRAT payload.
Microsoft plans to block macros in Office documents that come from the Internet by default in the future and remove the "enable" prompt for these documents. While users may still enable macros for specific documents, doing so requires more work and should prevent accidental execution of documents with macros for the majority of users in the future.
The infection chain
OpenDocument files are not used often in malware campaigns. The document that was used in the campaign did not include any macros, hidden or not, when it was analyzed. HP security researchers discovered that the document was referencing Object Linking and Embedding (OLE) objects that were hosted remotely. One of the analyzed documents referenced 20 remotely hosted objects.
The referenced objects were downloaded from the referenced remote location when the user selected the "yes" option after opening the documented that was attached to the email. Downloads included Excel spreadsheets, which included macros. The user was then prompted by the Office application to enable macros or keep them disabled.
The macro that is part of the Excel documents uses the mshta.exe tool of Windows to download and execute code from the Internet. Things start to accelerate from there as a "complex chain of PowerShell, VBScript and batch scripts" was executed. In the end, the open source remote access trojan AsyncRAT was decoded and executed.
The malware creates a scheduled task in an attempt to make the infection persistent. The task is designed to launch the malware in two hour intervals.
Attackers are always hunting for stealthy ways of delivering malware that evades endpoint security. This campaign illustrates how OpenDocument text files can be abused to deliver malware through external OLE references with extremely low detection rates.
Like most malware campaigns, this campaign requires that victims become active. The victim has to open the included file attachment and respond to two different prompts before the actual malware is downloaded and executed on the system. Canceling or denying any of the prompts would stop the attack before it really begins.
It comes as a surprise that emails from outside the organization that contain documents with attachments are still a viable attack vector after all these years.
The use of OpenDocument file formats serves several purposes. Employees may be trained to look out for certain file formats in email attachments, but likely not .odt files or other OpenDocument files. The file itself contains no macros, which antivirus engines may notice and block automatically or warn users about.
The fact that no antivirus engine detected the OpenDocument file used in the campaign as malicious for over a week confirms that the evasive method worked. HP security researchers found a second campaign in July that used a Microsoft Word document instead of an OpenDocument file as the email attachment. Nearly half of all antivirus engines on VirusTotal flagged the Microsoft Word document.
Organizations may improve their defenses in several ways. Besides training employees and raising awareness, which only goes that far, it is new defensive options that could be implemented to reduce the risk of infection. The execution of attachments in virtual environments could be a viable option, as it prevents the infection of the underlying system if the executed document is malicious.
Home users may use virtual machines or sandboxing to launch file attachments and suspicious files without running the risk of infecting the underlying operating system. A program like the free Sandboxie Plus may be used to execute files in a sandboxed environment. Use of virtual machines requires additional steps, such as launching the virtual machine when it is needed, but provide similar protections.
Now You: do you open file attachments in emails?
The ten embedded documents is a strike of genius.
Even if the well-behaved may say no at first, they’ll soon get annoyed or panic and—Whatever! Just make it to go away!—accept /any/ request. Macros, or no macros.
I open on occasion, if I am expecting them.
I must do so manually as images, attachments and remote content are all blocked by default.
Am I misunderstanding something, or can this vulnerability be avoided by using an office suite *other* than Microsoft Office? It looks to me like you need to have Excel on board for the macro delivering the payload to successfully run. LibreOffice Calc and SoftMaker PlanMaker can load Excel documents, but I’m pretty sure they can’t run Excel macros.
Yes, Libreoffice, rather than being the “cause” of this problem (which it clearly is not), is actually a good solution to it.
Use dangerzone: https://github.com/freedomofpress/dangerzone
Genius idea! Thanks for the tip :)
On Windows via the host firewall, block all in/out connections by default and allow only limited programs internet access. Then most all automated malware would fail to infect. Windows host firewall has a feature of processing block rules before allow rules. This stroke of genius allows for creative security design. But of course because this is Windows, third party dns control is necessary to protect your family from Microsoft’s spy network and its corrupt OS firewall bypass “feature”. Thus, the host firewall coupled with correctly setup tech such as dnscrypt-proxy or a pi-hole, along with a proper hardware firewall will keep your family a bit safer.
Remember folks if you use a VPN (which has a valid place in our corrupt world), you are not protected by your hardware firewall at all. A VPN is a direct, unprotected data pipe into your machine which must bypass your hardware firewall. Once understood, we realize the importance of a host firewall to protect the OS’ very soft, gullible innards. This VPN characteristic escapes the thoughts of even professional network admins, which I’ve schooled quite a few of over the years about interesting innards.
So after the firewall steps, foolproof execution control must be implemented as a 2nd phase to a secure box. Then limit your attack surface. This is a good start to secure computing. Articles like this one are the result of corps and folks being easy prey. Best not to be in that category.
As a general rule I don’t open email attachments, only exception is if I arranged the attachment with a trusted source. (ie asking teacher to send me the PDF homework instructions.)
If the email shows up out of the blue (even if it appears to be from someone legit) I’m automatically very suspicious.
That said, did this attack get patched yet? (I read the article but kinda skimmed through some parts.)