top of page

Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks


Cyber Security Home Repairs
Computer Repairs

Cyber Security Home Repairs
Cyber Security Home Repairs

Three different state-sponsored threat actors aligned with China, India, and Russia have been observed adopting a new method called RTF (aka Rich Text Format) template injection as part of their phishing campaigns to deliver malware to targeted systems.

"RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file,


At the heart of the attack is an RTF file containing decoy content that can be manipulated to enable the retrieval of content, including malicious payloads, hosted at an external URL upon opening an RTF file. Specifically, it leverages the RTF template functionality to alter a document's formatting properties using a hex editor by specifying a URL resource instead of an accessible file resource destination from which a remote payload may be retrieved.



Internet Security Repairs
Internet Security Repairs

Put differently, the idea is that attackers can send malicious Microsoft Word documents to targeted victims that appear entirely innocuous but are designed to load malicious code via the template feature remotely.

Thus when an altered RTF file is opened via Microsoft Word, the application will proceed to download the resource from the specified URL prior to displaying the lure content of the file. It's therefore not surprising that the technique is being increasingly weaponized by threat actors to distribute malware.



Internet Security Repairs
Internet Security Repairs

Proofpoint said it observed Template injection RTF files linked to the APT groups DoNot Team, Gamaredon, and a Chinese-related APT actor dubbed TA423 as early as February 2021, with the adversaries utilizing the files to target entities in Pakistan, Sri Lanka, Ukraine, and those operating in the deep water energy exploration sector in Malaysia via defense-themed and other country-specific lures.


Windows systems for geopolitical gains.

"The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide," the researchers said. "While this method currently is used by a limited number of APT actors with a range of sophistication, the technique's effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape."

Comments


bottom of page