OpenDocument malware scams target hotels across the world

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Security experts have recently discovered hackers on a particularly stealthy mission to compromise hotels in Latin America using OpenDocument text files.

The unknown hackers are using a rarely seen phishing method that seems to be working out well so far, with the detection rate on VirusTotal for the malicious files being used was zero less than two weeks ago.

The campaign itself has also raised a number of questions due to some unique features and traits that set it apart from others.

Macro trouble

Cybersecurity researchers from HP Wolf Security said that in late June 2022, they spotted a phishing campaign that distributed OpenDocument text files. OpenDocument is an open, vendor-neutral file format, recognized by the majority of productivity programs, such as Word, LibreOffice Writer, or Apache OpenOffice Writer as one of the most popular Microsoft Office alternatives.

These files were being distributed, via email, to hotels in Latin America, and were presented as guest registration documents. 

Should the victim download and run the file, they’d be prompted to “update fields with references to other files”. The researchers describe the prompt as a “cryptic message”, and say that if the victim confirms, an Exel file opens.

The Excel file will later ask the user to enable macros, and that’s where the real trouble starts, as allowing macros triggers the infection chain. As a result, the victim gets AsyncRAT installed - a remote access trojan malware. AsyncRAT is described as a RAT that allows threat actors remote monitoring and control over infected endpoints, through a secure, encrypted connection.

This campaign is particularly stealthy, as analysis of the OpenDocument shows no hidden macros, the researchers are saying. But the document does reference Object Linking and Embedding (OLE) objects, hosted remotely. 

The document was found referencing almost two dozen other documents which, when downloaded and opened, contain embedded Excel spreadsheets, each of which requests running macros. 

The researchers seem to be a bit baffled by this approach, as the purpose of “so many duplicate files” remains unclear. 

“Documents that arrive from outside an organization should always be treated with suspicion, especially if they try to load external content from the web – but in practice, this isn’t always straightforward advice to follow, especially in industries that rely on exchanging electronic documents between suppliers and clients,” concluded HP Wolf Security. 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.