Dec 2, 2021
104 Views
0 0

State-backed hackers increasingly use RTF injection for phishing

Written by

FBI seized $2.3M from affiliate of REvil, Gandcrab ransomware gangs
EwDoor botnet targets AT&T network edge devices at US firms
Android banking malware infects 300,000 Google Play users
Finland warns of Flubot malware heavily targeting Android users
New malware hides as legit nginx process on e-commerce servers
Planned Parenthood LA discloses data breach after ransomware attack
Emotet now spreads via fake Adobe Windows App Installer packages
Former Ubiquiti dev charged for trying to extort his employer
Qualys BrowserCheck
STOPDecrypter
AuroraDecrypter
FilesLockerDecrypter
AdwCleaner
ComboFix
RKill
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Toksearches.xyz Search Redirect
Remove the Smashapps.net Search Redirect
Remove the Smashappsearch.com Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
eLearning
IT Certification Courses
Gear + Gadgets
Security
Phishing
Three APT hacking groups from India, Russia, and China, were observed using a novel RTF (rich text format) template injection technique in their recent phishing campaigns.
This technique is a simple yet effective method to retrieve malicious content from a remote URL, and threat analysts expect it to reach a wider audience of threat actors soon.
Researchers at Proofpoint spotted the first cases of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the technique.
Rich Text Format (RTF) files are a document format created by Microsoft that can be opened using Microsoft Word, WordPad, and other applications found on almost all operating systems.
When creating RTF files, you can include an RTF Template that specifies how the text in the document should be formatted. These templates are local files imported into an RTF viewer before displaying the contents of the file to format it correctly.
While RTF Templates are meant to be hosted locally, threat actors are now abusing this legitimate functionality to retrieve a URL resource instead of a local file resource.
This substitution allows threat actors to load malicious payloads into an application like Microsoft Word or perform NTLM authentication against a remote URL to steal Windows credentials. Furthermore, as these files are transferred as RTF Templates, they are more apt to bypass the detection phishing lures as they are not initially present in the RTF files.
Creating remote RTF Templates is very simple as all a threat actor has to do is add the {*template URL} command into an RTF file using a hex editor, as shown below.
The method is also viable on doc.rtf files opened in Microsoft Word, forcing the app to retrieve the resource from the specified URL before serving the content to the victim, as shown below.
Proofpoint has observed this payload retrieval method on phishing campaigns by the pro-Indian hacking group DoNot Team, the Russia-linked Gamaredon hacking group, and the TA423 threat actors.
A timeline of the observed activities is shown below.
RTF files can parse 16-bit Unicode characters, so threat actors have been using Unicode instead of plaintext strings for the injected URL resource to evade detection.
However, in some samples retrieved by the DoNot Team campaigns, Proofpoint noticed a failure to pass Microsoft Word’s checks, resulting in an error message about the remote source being invalid.
Since these errors are generated before the decoy content is served to the target, the chances of success for DoNot’s phishing attempts drop significantly.
TA423, on the other hand, didn’t obfuscate the injected URLs, exchanging higher risk for detection and analysis for error-free loading on Microsoft Word.
Finally, in the case of Gamaredon, the researchers sampled RTF documents that impersonated Ukrainian government organizations to deliver an MP3 file as a remote resource.
As RTF Template injections are easily accomplished using a hex editing tool and are not as heavily detected by antivirus scanners, they stand to become more widely used by threat actors.
“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector,” explained Proofpoint in their report.
“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”
Furthermore, as the malicious content is retrieved from a remote URL, it allows the threat actors to dynamically modify their campaigns in real-time to use new payloads or different malicious behaviors.
To defend against this threat, you should avoid downloading and opening RTF files arriving via unsolicited emails, scan them with an AV scanner, and keep your Microsoft Office up to date by applying the latest available security updates.
Proofpoint also shared YARA signatures that admins can use to detect RTF files modified to include remote RTF Templates.
Emotet now spreads via fake Adobe Windows App Installer packages
Stealthy WIRTE hackers target governments in the Middle East
APT37 targets journalists with Chinotto multi-platform malware
Windows Finger command abused by phishing to download malware
IKEA email systems hit by ongoing cyberattack
Not a member yet? Register Now
Microsoft Defender scares admins with Emotet false positives
DNA testing firm discloses data breach affecting 2.1 million people
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.

source

Article Categories:
Cybersecurity News

Comments are closed.