- HP Wolf Security uncovered an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware targeting the hotel industry in Latin America.
- The hotels are sent fake booking requests with the attached document seemingly a guest registration document.
- The researchers state that the document used in the campaign is poorly detected by anti-virus scanners, with a 0% detection rate on VirusTotal.
HP Wolf Security researchers recently announced in a blog post that they discovered a phishing campaign against hotels, particularly in Latin America. The scam uses OpenDocument text (.odt) files to distribute malware. The hotels are sent fake booking requests with the attached document seemingly a guest registration document.
Poorly detected by anti-virus software
According to security researchers, the malicious document was sent as an email attachment. When the document is opened, a prompt request asks whether fields with references to other files should be updated. An Excel file opens if they click ‘Yes’ to this cryptic message. if the victim confirms, another prompt is shown asking whether macros should be enabled or disabled. When the user allows macros, this activates the infection chain, finally leading to the execution of the malware payload, AsyncRAT.
As per HP Wolf Security researchers, the document used in the campaign is poorly detected by anti-virus scanners, with a 0% detection rate on VirusTotal. Unlike other malicious documents, analysis of the OpenDocument file reveals no hidden macros. However, the document does reference Object Linking and Embedding (OLE) objects, hosted remotely. When it is downloaded which contains ten embedded Excel spreadsheets, and opened, asks the user if macros should be activated. It is unclear what purpose is served by opening so many duplicate files.
OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, such as Word, LibreOffice Writer, or Apache OpenOffice Writer as one of the most popular Microsoft Office alternatives. Usually, the OpenDocument files are not used for phishing campaigns. It is clear that bad actors always try stealthy ways of distributing malware that breaches endpoint security. This scam shows how OpenDocument text files can be exploited to deliver malware via external OLE references with extremely low detection rates. Documents received from outside an organization should always be treated with suspicion, especially if they try to load external content from the web.