top of page
  • Writer's pictureORNA

RTF Injection Techniques Rise With APT Phishing Attacks

Back in the spring of 2007, I got my hands dirty with phishing attacks. Every year since its inception in the mid-1990s, phishing has prevailed as a popular attack vector among hackers of every hat.

Even in my day, it seemed to be one of the hottest trends on all the major hacking forums. Everybody was doing it because developing and launching the attack was so relatively simple and effective.

We passed the phishing tutorials around like trading cards. Everyone involved became proficient at creating believable illusions through our phishing attacks because, at the heart of the matter, that is what phishing is.

Decoy Web Pages

It is the art of creating believable decoys designed to trick unsuspecting users into interacting with them. The decoy web pages look real because they are real. However, that doesn’t make them authentic, and that’s the difference.

In some ways, setting up the phishing page to appear as the legitimate login page of a widely trusted website was a little bit cumbersome to an extent, but easy enough that anyone with no knowledge or experience could figure it out from the tutorials.

You saved the source code of the login page of the site you wanted to impersonate. Then, you tweaked the login form within the source code, to post the stolen credentials to a remote server with a little PHP coding.

Lastly, you found hosting for your newly created counterfeit page and obtained a domain name similar enough to the authentic web address. It was crucial that the page and malicious URL appeared as close to identical as possible to the real thing at first glance.

Nowadays, programs are available that can automate the entire process so that individuals who have minimal technical knowledge can generate phishing pages along with accompanying malicious URLs with only a few keystrokes.

However, phishing attacks aren’t only designed to capture user credentials. Since the malicious page is under the attacker’s control, it is also ideal for threat actors to use them as a delivery vector for malicious payloads, and that’s when things start to get interesting.

There’s a New Phishing Threat Growing

The new threat involves a simple exploit involving Rich Text Format (RTF) files associated with Microsoft Open XML, which allows threat actors to create or customize references in Office document templates. This, in turn, allows bad actors to camouflage malicious payloads and force authentication attempts.

Once the affected RTF document is executed, template properties can reference a file for retrieval from a third-party server. However, in this case, the legitimate Open XML files are manipulated in order to retrieve malicious payloads. Once the unsuspecting victim opens the affected RTF files, the file retrieval process is executed and downloads the malicious content.

In turn, the exploit allows threat actors to execute code behind protected networks because the legitimate Microsoft Word documents will not be flagged as malicious by antivirus definitions. They are trusted files. Therefore, they are not blocked by security systems.

APT Groups Are Advancing With a New Technique

A report by researchers at Proofpoint showed that RTF template injection is a new technique being utilized by threat actors and that it is ideally being coupled with phishing attacks as a malicious attachment.

The researchers said--

“[I]t is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file."

The report demonstrated that Proofpoint had observed three Advanced Persistent Threat (APT) groups this year originating from India, Russia, and China who have employed this technique. The hacking groups targeted various entities that would ostensibly be of relevant interest to these states.

The APT groups such as DoNOT Team, Gamaredon, and a Chinese-backed APT designated as TA423 have been behind the usage of the exploit as far back as February 2021. Tracking the data, Proofpoint indicated that the attackers have been targeting entities in Pakistan, Sri Lanka, Ukraine, and systems connected to the Malaysian marine energy exploration initiatives.

It is believed that the DoNot Team is suspected of launching cyberattacks that appear beneficial to Indian-state interests. Furthermore, Ukrainian premier law enforcement and counterintelligence agency have exposed Gamaredon as having a close connection to the Russian Federal Security Service (FSB), calling it "an FSB special project, which specifically targeted Ukraine.”

Furthermore, Ukrainian law enforcement revealed that the group appears to be highly motivated for launching attacks against public and private sector companies in the country, purportedly digging for classified information on vulnerable Microsoft Windows systems.

Proofpoint pointed out that the technique is growing among APT threat actors around the world, and due to the increased usage of the technique, it is likely that technique will undergo widespread adoption by cybercriminals.

According to analysis, due to the lack of detectability, the RTF template injection files have a low detection rate by commercial antivirus engines in comparison to the more familiar Office-based template injection technique.

Proofpoint researchers said--

"The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide."

They also said that while this method is currently only being utilized by a limited number of APT threat actors, the technique is very effective because it is easy to deploy. Most importantly, they explained that these factors are "likely to drive its adoption further across the threat landscape."

An article by

Jesse McGraw

Edited by

Anne Caminer




Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page