Three completely different state-sponsored menace actors aligned with China, India, and Russia have been noticed adopting a brand new technique referred to as(aka Wealthy Textual content Format) template injection as a part of their phishing campaigns to ship malware to focused programs.
“RTF template injection is a novel approach that’s excellent for malicious phishing attachments as a result of it’s easy and permits menace actors to retrieve malicious content material from a distant URL utilizing an RTF file,” Proofpoint researchers stated in a brand newshared with The Hacker Information.
On the coronary heart of the assault is an RTF file containing decoy content material that may beto allow the retrieval of content material, together with malicious payloads, hosted at an exterior URL upon opening an RTF file. Particularly, it leverages the RTF to change a doc’s formatting properties utilizing a by specifying a URL useful resource as a substitute of an accessible file useful resource vacation spot from which a distant payload could also be retrieved.
Put in another way, the concept is that attackers can ship malicious Microsoft Phrase paperwork to focused victims that seem completely innocuous however are designed to load malicious code by way of the template characteristic remotely.
Thus when an altered RTF file is opened by way of Microsoft Phrase, the appliance will proceed to obtain the useful resource from the desired URL previous to displaying the lure content material of the file. It is due to this fact not stunning that the approach is being more and more weaponized by menace actors to distribute malware.
Proofpoint stated it noticed Template injection RTF recordsdata linked to the APT teams, Gamaredon, and a Chinese language-related APT actor dubbed TA423 as early as February 2021, with the adversaries using the recordsdata to focus on entities in Pakistan, Sri Lanka, Ukraine, and people working within the deep water vitality exploration sector in Malaysia by way of defense-themed and different country-specific lures.
Whereas the DoNot Workforce has been suspected of finishing up cyber assaults which can be aligned with Indian-state pursuits, Gamaredon wasby Ukrainian legislation enforcement as members of Russia’s Federal Safety Service (FSB) with a propensity for putting the private and non-private sector within the nation for harvesting categorised data from compromised Home windows programs for geopolitical positive factors.
“The innovation by menace actors to carry this technique to a brand new file sort in RTFs represents an increasing floor space of menace for organizations worldwide,” the researchers stated. “Whereas this technique at present is utilized by a restricted variety of APT actors with a spread of sophistication, the approach’s effectiveness mixed with its ease of use is prone to drive its adoption additional throughout the menace panorama.”