Attackers are now utilising a new obfuscation technique whereby an OpenDocument file is used to sneak payloads past antivirus software.
In a blog post, researchers from Cisco Talos explained that attackers are now using different file formats that previously had been overlooked by a computer’s defenses.
Researchers identified that the OpenDocument (ODT) file format for some Office applications can be utilised to bypass antivirus detections.
Several sandboxes that failed to analyse ODT documents were identified. Researchers explained that ODT documents are considered as archive and therefore the document won’t be opened by the sandbox as a Microsoft Office file. Subsequently, threat actors can deliver malware through ODT documents.
The researchers highlighted one case where attackers used a ODT file which had an embedded Object Linking and Embedding (OLE) file. The OLE file deployed a HTML Application script (HTA) file, to which a remote administrative tool was downloaded. Of course the victim would have to grant the document permission to run.
Cisco Talos researchers Warren Mercer and Paul Rascagneres wrote: “The use of the ODT file format shows that actors are happy to try out different mechanisms of infection, perhaps in an attempt to see if they are these documents have a higher rate of infection or are better at avoiding detection.”
“As we point out some AV engines and sandboxes do not handle these file formats with the appropriate method so they become “missed” in some instances.
“Whilst less people may avail of these pieces of software the actor may have a higher success rate due to low detections. The potential for specifically targeted attacks can also increase with the use of lesser used file formats.”
The post #Privacy: Threat actors are now using OpenDocument files in attacks appeared first on PrivSec Report.