State-backed hackers increasingly use RTF template injection for phishing

mood · Dec 6, 2021

December 1, 2021

Three APT hacking groups from India, Russia, and China, were observed using a novel RTF (rich text format) template injection technique in their recent phishing campaigns.

This technique is a simple yet effective method to retrieve malicious content from a remote URL, and threat analysts expect it to reach a wider audience of threat actors soon.
Researchers at Proofpoint spotted the first cases of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the technique.
Click to expand...

A simple method to fetch payloads
When creating RTF files, you can include an RTF Template that specifies how the text in the document should be formatted. These templates are local files imported into an RTF viewer before displaying the contents of the file to format it correctly.

While RTF Templates are meant to be hosted locally, threat actors are now abusing this legitimate functionality to retrieve a URL resource instead of a local file resource.
Click to expand...

Proofpoint has observed this payload retrieval method on phishing campaigns by the pro-Indian hacking group DoNot Team, the Russia-linked Gamaredon hacking group, and the TA423 threat actors.

A timeline of the observed activities is shown below.
Click to expand...

Proofpoint: Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors

Key Takeaways

RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file.

Proofpoint has observed three APT actors from India, Russia, and China using this technique in 2021, targeting a variety of entities likely of interest to their respective states.

RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques.

Click to expand...

Rasheed187 · Dec 4, 2021

And what about if you simply block MS Word or any other document reader from making outbound connections, will this attack still work?

Bellmu · Dec 5, 2021

In what ways should individuals and businesses protect against this new method of attack?

RYT · Dec 5, 2021

How about blocking .rtf attachments alltogether unless there is a valid business reason and users could request the attachment to be released from quarantine and IT admins could analyze the file before releasing.
I am wondering how EOP fairs with these method of attack.

Alternatively there are other mitigating factors / tools:
1. Tools like Second Change (from Know4before) can stop users from going to dodgy links as a warning pops up showing the actual link where the user will be taken and asking them if they want to continue.
2. IDS / IPS software running on your network might catch that type of traffic and stop it
3. a good EDR tool can also prevent such attacks from executing
4. disabling macros and active content from Word

Log in or Sign up

State-backed hackers increasingly use RTF template injection for phishing

mood Updates Team

Rasheed187 Registered Member

Bellmu Registered Member

RYT Registered Member