skip to Main Content

Cybercrime increase the use of ODT files to distribute malware

Bleeping Computer: Cisco Talos discovered three cybercrime campaigns against English and Arabic-speaking users to spread malware, leveraging OpenDocument Text (ODT) files

Cybercrime use OpenDocument Text (ODT) files to distribute malware, that is typically blocked by antivirus engines. The campaigns target English and Arabic-speaking users. It has been revealed by Bleeping Computer. ODT files are archives that can hold text, images, and objects, such as XML-based files that can be opened by Microsoft Office and similar, open-source software (LibreOffice, OpenOffice). According to the cyber security experts, some antivirus engines treat ODT files as standard archives and do not open the document as a Microsoft Office file, allowing malware to be downloaded on the target host. This TTPs have been demonstrated in some campaigns. In one of them against Microsoft Office users, the cyber criminals embedded an OLE (Object Linking and Embedding) in ODT documents to download the well-known remote access trojans (RATs), as RevengeRAT and njRAT.

The cyber security experts fear that in future there will be a more frequent use of ODT, due to some antivirus products’ poor handling 

In a second campaign, cyber security researchers found to be using a malicious ODT file, the final malware launched on the target machine is the well known AZORult info stealer. The process involves an OLE object that places an executable pretending to be for the Spotify music service. It contains a new binary as a resource that “is a new binary packed with a multitude of different packers such as Goliath, babelfor.NET and 9rays.” At the end of the unpacking, AZORult remains. A third campaign, leveraging ODT files, was aimed at OpenOffice and LibreOffice users, and it used “the equivalent of macros in Microsoft Office documents in the StarOffice Basic open-source software”, according to Cisco Talos. Moreover, there is the possibility for more frequent use in the future of the file format. This, due to some antivirus products’ poor handling of it, thus ensuring a lower detection rate.

Back To Top