Three different state-sponsored threat actors aligned with China, India, and Russia have been observed adopting a new method called RTF (aka Rich Text Format) template injection as part of their phishing campaigns to deliver malware to targeted systems.
"RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file," Proofpoint researchers said in a new report shared with The Hacker News.
At the heart of the attack is an RTF file containing decoy content that can be manipulated to enable the retrieval of content, including malicious payloads, hosted at an external URL upon opening an RTF file. Specifically, it leverages the RTF template functionality to alter a document's formatting properties using a hex editor by specifying a URL resource instead of an accessible file resource destination from which a remote payload may be retrieved.
Put differently, the idea is that attackers can send malicious Microsoft Word documents to targeted victims that appear entirely innocuous but are designed to load malicious code via the template feature remotely. This makes the mechanism a durable and effective method when paired with phishing as an initial delivery vector, the researchers noted.
Thus when an altered RTF file is opened via Microsoft Word, the application will proceed to download the resource from the specified URL prior to displaying the lure content of the file. It's therefore not surprising that the technique is being increasingly weaponized by threat actors to distribute malware.
Proofpoint said it observed Template injection RTF files linked to the APT groups DoNot Team, Gamaredon, and a Chinese-related APT actor dubbed TA423 as early as February 2021, with the adversaries utilizing the files to target entities in Pakistan, Sri Lanka, Ukraine, and those operating in the deep water energy exploration sector in Malaysia via defense-themed and other country-specific lures.
While the DoNot Team has been suspected of carrying out cyber attacks that are aligned with Indian-state interests, Gamaredon was recently outed by Ukrainian law enforcement as an outfit connected to Russia's Federal Security Service (FSB) with a propensity for striking public and private sector organizations in the country for harvesting classified information from compromised Windows systems for geopolitical gains.
"The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide," the researchers said. "While this method currently is used by a limited number of APT actors with a range of sophistication, the technique's effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape."