Experts in the field of information security have lately identified hackers utilising OpenDocument text files to infiltrate hotels in Latin America.
As of less than two weeks ago, the malicious files being utilised by the unknown hackers had a detection score of 0 on VirusTotal, a site that tracks virus detection rates.
There are a lot of unanswered questions surrounding the campaign as a whole because of the campaign’s unique characteristics.
In late June 2022, a phishing effort distributing OpenDocument text files was identified by HP Wolf Security experts. Microsoft Word, LibreOffice Writer and Apache OpenOffice Writer are among the most commonly used productivity apps that recognise OpenDocument as a viable alternative to the Microsoft Office suite of products.
These files were delivered by email to hotels in Latin America, where they were presented as guest registration paperwork.
“Fields containing references to other files” are what will prompt the victim should they download and execute the file. If the victim accepts the “cryptic message,” an Exel file is opened, according to the researchers.
As soon as macros are enabled, the infection chain begins. Consequently, AsyncRAT, a remote access trojan, is installed on the victim (opens in new tab). Threat actors may remotely monitor and control infected endpoints using AsyncRAT, according to its description as a RAT.
According to the experts, this is a highly stealthy effort since a study of the OpenDocument indicates no hidden macros. However, OLE objects are referenced in the document, which are hosted elsewhere.
When the document is downloaded and viewed, it references roughly two dozen additional papers that contain embedded Excel spreadsheets, each of which asks for macros to execute.
Despite the fact that “so many identical files” remain a mystery, scholars seem to be perplexed by this method.
Even though this advice sounds simple, it’s difficult to implement, especially in industries where electronic documents are frequently exchanged between vendors and customers. HP Wolf Security concluded, “Documents that arrive from outside an organisation should always be treated with suspicion, especially if they try to load external content from the web.