A novel Rich Text Format (RTF) Template Injection technique is being used in phishing campaigns conducted by multiple nation-state hacking groups. Researchers at Proofpoint say they first identified this technique being used in March 2021 and its use has been steadily growing. The technique was initially used by the Indian APT group DoNot Team (APT-C-35), followed by the Chinese APT group TA423, then the Russian APT actor Gamaredon.
DoNot Team has been using the technique in attacks on companies in Pakistan and Sri Lanka, TA423 has targeted companies in the energy exploration sector in Malaysia, and Gamaredon has been targeting firms in Ukraine by impersonating the Ukrainian Ministry of Defense. The researchers expect the technique to be adopted by a much broader range of hacking groups over the coming weeks and months.
Template injection attacks have been conducted for years and proved popular in phishing campaigns in 2020. Previous Template injection attacks have involved Office template files, especially those used to create Word documents. Attacks exploiting Windows RTF templates have not previously been observed.
RTF files are documents that can be opened using a wide range of text editors, including Notepad, WordPad, and Microsoft Word. When the files are created it is possible to use an RTF template that dictates how the text is formatted in documents. While RTF files are meant to be stored locally, it is possible to format the content of files using a template stored on a remote URL.
With the RTF Template Injection attacks, instead of retrieving a local resource, a template is used on an attacker-controlled URL. When a file is opened, content is loaded from the remote URL which contains malicious code that is used to execute malware.
Loading malicious content from a remote RTF Template. Source: Proofpoint
Documents are sent to targets in phishing emails using a variety of lures, and since the attached files do not contain any malicious code, it is possible they will not be identified as malicious by email security solutions. The malicious content is only loaded when the files are opened. This approach will most likely be used in attacks that deliver malware, but it is also possible to use this technique to perform NTLM authentication against a remote URL to steal Windows credentials.
If users attempt to open the attached files using Microsoft Word, they will be required to ‘Enable Editing’ or ‘Enable Content.’ While security-conscious individuals may know not to enable content in emailed documents from unknown senders, there are ways that users can be tricked into doing so. The advice offered by Proofpoint is never to open .RTF email attachments in unsolicited emails, to ensure that all file attachments are scanned using antivirus software before opening, and never to enable content in files unless you are 100% sure about the validity of the file.
“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape,” explained Proofpoint. “This well-established trickle-down pattern may be accelerated in this case based on the minimal effort needed to weaponize RTF attachments before deploying in active phishing campaigns.”