State-sponsored hacking groups, also known as Advanced Continuing Threats (APTs), this year adopted a new attack technique called “RTF template injection”, which brought a new twist and made it difficult to identify and stop their attacks.
In a report today, e-mail security company Proofpoint said that APTs from China, Russia and India are already taking advantage of this technique, which they also expect to see adopted even by economically motivated threatening elements.
What is RTF injection molding?
Called RTF injection molding, This attack is not new in itself, but a variation of a Classic mold injection attack It has been known for years, hence its inclusion already in the MITER ATT & CK framework.
The technique revolves around a feature of Microsoft Office where users can create a document using a predefined template. These templates can be stored locally or downloaded from a remote server for attacks known as “Remote mold injections. “
The idea is that attackers can send malicious Office files – such as DOC, XLS or PPT – to benign victims, but then upload malicious code using the template feature when the Office app needs to render the content.
Template injection attacks have been occurring for years, but there was an increase in 2020, when “remote template injection” became a popular technique among some APT groups.
But all of these attacks took advantage of Office files, especially Word documents. The new variation of this attack is that instead of using Word or other Office files, Proofpoint says that threat players have now started launching classic attacks Windows RTF (Rich text format) Files, which also support the ability to organize their content using a template stored in a remote URL.
According to Proofpoint, threatening elements compose RTF files with lures that may be of interest to their targets, create a template containing malicious code that runs malware, and edit the RTF files to load the template upon opening the file. These documents are then sent to the victims through spear-phishing attacks, in the hope that the victims will open the documents.
Although users must click a button that says “Enable editing“Or”Enable content, “Which is a known security warning and blocks the automatic execution of the template’s malicious code, this feature has not been effective in blocking Office attacks for years, as most users can be tricked into clicking buttons with some smart document designs.
APTs using this technique: TA423, Gamaredon and DoNoT
As for those who use this technique, Proofpoint has identified three state-sponsored groups, such as TA423 (porcelain), Gamerdon (Russia), and to (India).
The first to use this technique were DoNot and TA423, which started using RTF documents with malicious templates as early as March this year, when DoNoT registered its first domains, before launching its first attacks a month later.
Follow-up DoNoT attacks using RTF Template Injection attacks were seen until July, while TA423 attacks were last seen until the end of September, when the group targeted Malaysian energy companies connected to deepwater energy research.
Gamaredon, a group recently exposed by Ukraine as such Controlled by the Russian intelligence service FSB, Is the last APT to adopt this technique, especially in an October campaign that used RTF files built to look like Ukrainian government files.
In concluding its report on this new technique, Proofpoint believes that the effectiveness of Office Remote Injection Attacks in recent years suggests that RTF Remote Injection Attacks are here to stay.
“While this method is currently used by a limited number of APT players with a range of sophistication, the effectiveness of the technique combined with its ease of use may propel its adoption even further across the threat landscape,” said Proofpoint researchers, suggesting that apart from other APT groups, factors Economically motivated threats, such as botnet and ransomware groups, can also be abused.
“This established drip pattern may be accelerated in this case based on the minimum effort required to arm RTF files before deployment in active phishing campaigns,” said Michael Raggy of Proofpoint.