Security experts recently discovered hackers on a particularly stealthy mission to compromise hotels in Latin America using OpenDocument text files.

Unknown hackers are using a seldom-seen phishing method that appears to be working well so far, with a VirusTotal detection rate for the malicious files used being zero less than two weeks ago.

The campaign itself has also raised a number of questions due to some unique features and characteristics that set it apart from others.

macro problem

Cybersecurity researchers at HP Wolf Security said that in late June 2022 they detected a phishing campaign distributing OpenDocument text files. OpenDocument is an open, vendor-neutral file format recognized by most productivity programs, such as Word, LibreOffice Writer, or Apache OpenOffice Writer, as one of the most popular Microsoft Office alternatives.

These files were distributed, via email, to hotels in Latin America and presented as guest registration documents.

If the victim downloads and runs the file, they will be prompted to "update fields with references to other files." The researchers describe the prompt as an "encrypted message" and say that if the victim confirms it, an Exel file is opened.

The Excel file will then prompt the user to enable macros, and this is where the real problem starts, as enabling macros triggers the chain of infection. As a result, the victim is installed with AsyncRAT, a remote access Trojan malware (Opens in a new tab). AsyncRAT is described as a RAT that allows threat actors to remotely monitor and control infected endpoints (opens in a new tab), over a secure and encrypted connection.

This campaign is particularly stealthy because OpenDocument analysis shows no hidden macros, the researchers say. But the document refers to Object Linking and Embedding (OLE) objects, hosted remotely.

The document was found to reference nearly two dozen other documents that, when downloaded and opened, contain embedded Excel spreadsheets, each requiring macros to run.

The researchers seem a bit confused by this approach, as the purpose of "so many duplicate files" remains unclear.

“Documents arriving from outside an organization should always be treated with suspicion, especially if they try to upload external content from the web, but in practice, this is not always easy advice to follow, especially in industries that rely on file sharing. electronic documents between suppliers and customers”, concluded HP Wolf Security.

Share This