Open Document Creates Twist In Maldoc Landscape (Sep 30, 2019)
Cisco Talos researchers have identified attackers attempting to dodge antivirus software by changing the file formats. Using an OpenDocument (ODT) file format, for a Microsoft Office application can evade detection as certain antivirus software don’t apply the same rules to ODT files as standard Office files. While most attackers are using Microsoft Office for malicious documents, using an ODT file may be more successful. In one observed campaign, an embedded OLE object was contained in an ODT document, requiring user interaction. Executing two HTA scripts, RevengeRat was the payload in the English version of the campaign.
Recommendation: All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.