Cybercriminals Leverage File-Based Attacks to Infiltrate Critical Networks

According to Verizon’s 2022 Data Breach Investigations Report, office docs and emails continue to be proven ways that cybercriminals deliver harmful payloads to gain access into organizations’ networks. Threat actors can conceal malicious code, malicious macros and unsecure hyperlinks within common files and deliver them to their victims via email or web applications–granting them the ability to propagate into the organization’s entire IT infrastructure.

That’s exactly what malware researchers from HP Wolf Security discovered when investigating recent cyberattacks on hotels in Latin America. 

Malicious OpenDocument Malware Targets Hotels

The campaign started with the attackers sending victims a fake booking request email with a malicious attachment posing as a guest registration document. In this particular campaign, the threat author abused the OpenDocument text format (.odt).

OpenDocument is an XML-based file format used by prevalent open source word processing software suites including Apache OpenOffice, LibreOffice and Microsoft Office. Cybercriminals leverage this software to distribute malware that evades endpoint security.

This is even more virulent than current macro malware often found in Microsoft Office files–it downloads the remote access Trojan (RAT) payload using object linking and embedding (OLE) objects. Similar OLE-based techniques such as CVE-2021-40444 and Folina also were observed abusing Microsoft Office documents.

Analyzing OpenDocument and AsyncRAT

The OPSWAT research team looked into the malicious email attachment and found a linked object, “webnar.info/internet/1.doc”, that downloads and runs a harmful Excel file.

Once the user opens the attachment and enables it to update fields with references to other files, the downloaded Excel file requests that the user allows macros. Accepting the macros activates the infection chain. 

As a result, the malware payload installs AsyncRAT, enabling hackers to remotely monitor and control the infected devices via a secure and encrypted connection.

Impacts of File-Borne Threats

Once the attacker gains control of infected devices, they can tunnel further into the network and compromise an organization’s servers and other critical infrastructure, jeopardizing the entire business’ operations. They can gain access to and steal sensitive personal information (PII, PHI, financial records) putting an organization at risk for regulatory compliance violations and fines. Financially motivated hackers can lock users out of their systems, sell the stolen data or hold it hostage via a ransomware attack.

How to Protect Your Organization Against This Highly Evasive Malware

There are many ways organizations can protect themselves against file-borne threats, from leveraging zero-trust technologies to enforcing stricter policies around permissible file types. 

As of July 10, 2022, traditional AV engines used by malware scanning software were unable to detect this threat. Multiscanning technology leverages and uses multiple AV engines to help increase detection rates and reduce outbreak detection times. If the targeted organization only uses a single anti-malware program as its defense against cyberattacks, there is a high possibility of compromise.

Another zero-trust technology that organizations can deploy is deep content disarm and reconstruction (CDR) to offer advanced protection against file-borne threats. As shown in the screenshot below, Deep CDR detects, sanitizes and neutralizes threats embedded in the file, including the harmful OLE object used in the AsyncRAT malware used in the campaign targeting Latin American hotels.

Deep CDR works by identifying the URLs in the XML files which point to the attacker’s servers and replacing them with a harmless hash fragment (#). When the user opens the attachment, the OLE object is unable to download and execute the RAT malware. The disarmed files no longer pose a threat to your corporate network.

While the AsyncRAT malware campaign targeted hotels which store and process PII for thousands of guests, just imagine what a similar campaign could do to critical infrastructure networks such as hospitals, government entities, emergency services and others. Malware and attack methodologies will always evolve, but protecting against file-borne threats with these zero-trust technologies and controls is an easy first step to reducing the attack surface and preventing attackers from propagating into an organization’s infrastructure.   

Avatar photo

George Prichici

George Prichici is the VP of Products at OPSWAT, leading the Application Security PLU. George’s background in technology spans over 15 years, in both product management and software engineering leadership positions. He’s a certified cloud solution architect and his focus and interest is in cybersecurity, cloud infrastructure, and machine learning.

george-prichici has 1 posts and counting.See all posts by george-prichici