Hackers using Malicious RTF Injection Technique in Phishing Attacks

In Q2 and Q3 of 2021, the APT threat actors have gradually adopted a novel and easily implemented phishing attachment technique known as RTF template injection.

This sophisticated technique leverages the functionality of certain RTF templates. This technique is mainly exploited by the APT or State-Sponsored threat actors from the countries like:-

  • China
  • Russia
  • India

After APTs the financially-motivated threat actors will also adopt this stealthy technique. APTs exploit this technique due to its simplicity and effectiveness in retrieving any malicious content or payloads from a remote URL.

In March 2021, the first case of weaponized RTF template injection was spotted, and since then the operators of this stealthy technique have evolved this technique extensively.

Easy way to fetch payloads

RTF is a document format that is created by Microsoft that could be opened on all the available operating systems with the help of common apps and browsers. And the Template in RTF defines that how the document contents should be presented and formatted.

Here, to retrieve a URL resource instead of a local file resource the hackers are abusing the legitimate functionality since RTF Templates are hosted locally.

The exploitations of this legitimate functionality allow the hackers to do the following things to steal Windows credentials:-

  • Load malicious payloads into an app like Microsoft Word.
  • Perform NTLM authentication against a remote URL.

Using a hex editor anyone can create remote RTF Templates just by adding the {\*\template URL} command into an RTF file. And the most interesting thing about these attacks is, the hackers can exploit all the available Office files, and among them especially Word documents.

Hackers send all these malicious documents to victims using spear-phishing emails, once the victims open the documents the hackers start their malicious operations.

APT Groups Exploiting This Technique

Here below we have mentioned all the primary names of the APTs who are exploiting this technique:-

  • TA423 from China
  • Gamaredon from Russia
  • DoNoT from India

Among these groups, the first one who exploited this technique is the APT group from India, DoNoT from India, after that comes TA423 from China, and lastly exploited by Gamaredon from Russia.

Here’s what the security analysts at Proofpoint stated:-

“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

The rapid increase in the adoption of this technique clearly indicates that how other APT groups, financially-motivated hackers, botnet, and ransomware groups could abuse this technique in the upcoming time.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.