New RTF Template Inject technique used by APT groups in recent attacks

Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks.

APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent phishing attacks.

The technique was first reported by the security firm Proofpoint spotted which observed phishing campaigns using the weaponized RTF template injection since March 2021. The experts believe that nation-state actors will continue to use the technique in future campaigns.

The RTF template injection technique abuses legitimate RTF template functionality to subvert the plain text document formatting properties of the file and retrieve a malicious payload from a remote server instead of a file resource via an RTF’s template control word capability. The feature used by attackers allow to load an RTF template from a specific URL resource instead of a local file resource. Threat actors simply replace a legitimate file destination with a malicious download link. 

Experts pointed out that the technique has a lower detection rate by public antivirus engines when compared to the Office-based template injection technique.

“Proofpoint has identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of APT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several nations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its implementation, that it could soon be adopted by cybercriminals as well.” reads the analysis published by ProofPoint.

“By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination.”

In the attacks observed by the researchers, threat actors used Unicode signed character notation to obfuscate the URL value included in the RTF file. The trick was used in the attempt to evade static detection signatures in anti-virus engines.

The attack also works when in the case of .doc.rtf files that are opened utilizing Microsoft Word. When an RTF Remote Template Injection file is opened with MS Word, the application will retrieve the resource from the specified URL before displaying the content of the file. 

Proofpoint reported it observed the technique was used by DoNot Team, Gamaredon, and a TA423 APT groups.

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide.” concludes the report. “While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

Proofpoint shared YARA signatures for the attacks using this technique.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RTF template injection)

[adrotate banner=”5″]

[adrotate banner=”13″]