ODT Files Used to Deliver Trojans and Infostealer

Delaware, USA – October 1, 2019 – Adversaries take advantage of the fact that many antivirus solutions do not carefully scan OpenDocument Text files. Security researchers at the Cisco Talos team have discovered the use of ODT files to spread malware in several campaigns targeting English and Arabic speaking users. The files used are archives that can store text, images, and XML files used by Microsoft Office and similar software (LibreOffice and Apache OpenOffice). Some anti-virus solutions perceive ODT files as standard archives and do not open a document allowing cybercriminals to infect targeted systems with malware. The first discovered campaign was targeted at Microsoft Office users and used the built-in OLE objects in ODT documents to launch an HTA file that downloaded RevengeRAT and njRAT from a popular Arabic file-hosting platform. During the next campaign, the attackers delivered AZORult infostealer, it was hidden in an executable feigning that it is the Spotify music service and containing AZORult as a resource that was packed with a multitude of different packers.

In the third known campaign, adversaries used ODT files to target OpenOffice and LibreOffice users leveraging the equivalent of macros in MS Office documents to deploy binary, which sets up SSH communication. Experts suggest that these malicious documents were used after the organization was compromised for lateral movement across the network.

Content available on Threat Detection Marketplace to detect the malware:
AZORult malware detected – https://tdm.socprime.com/tdm/info/2203/
AZORult stealer (Sysmon) – https://tdm.socprime.com/tdm/info/1380/
RevengeRAT tool in MITRE ATT&CK section: https://tdm.socprime.com/att-ck/
HWorm and NjRAT Rat/Backdoor (Sysmon) – https://tdm.socprime.com/tdm/info/1386/
CRIME CN CAMPAIGN NJRAT – https://tdm.socprime.com/tdm/info/1810/