Cybersecurity Breach 

The technique being used by hackers is easier to deploy and more effective because it’s harder for antivirus software to detect – and many organisations won’t block RTF files by default because they’re part of everyday business operations.

The technique is RTF template injection. By altering an RTF file’s document-formatting properties, it’s possible for attackers to weaponise an RTF file to retrieve remote content from a URL controlled by the attackers, enabling them to secretly retrieve a malware payload that gets installed on the victim’s machine.

Attackers can use RTF template injections to open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document.
This approach might require luring users into enabling editing or enabling content to begin the process of downloading the payload, but with the right form of social engineering, especially off the back of a convincing lure, a victim can be tricked into allowing this process to take place.

It isn’t a complex technique, but because it is simple and reliable to use, it has become popular with several nation-state hacking operations, which can deploy RTF attacks instead of other, more complex attacks, but still get the same results.

Despite the “Advanced” designation, if APT actors are doing their job well, they will exert the least amount of resources and sophistication necessary to gain access to organisations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
“This prevents actors from exposing more sophisticated tools if discovered, resulting in a greater operational disruption for threat actor groups to replace technical capabilities when discovered,” she added.
According to researchers, the earliest known instance of an APT group using RTF template injections in a campaign was in February 2021. These injections were undertaken by DoNot Team, an APT group that has been linked to Indian state interests.

While only a handful of APT groups have attempted to deploy RTF-based attacks so far, researchers warn that the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape – and this could mean campaigns leveraging this technique are adopted by financially motivated cyber criminals.

For more information about this topic visit the ZDNet article or go to our Proofpoint offering