State-sponsored hacking groups are now increasingly using the new attack technique called RTF Template Injection. Due to the adoption of this technique, attacks are now becoming harder to detect and prevent.
About RTF template injection
The RTF Template Injection attack technique is a new variation of a traditional template injection attack.
- The technique is based on the Microsoft Office feature where users create a document with a predefined template.
- It enables attackers to obtain malicious content from a remote URL using an RTF file.
- RTF template injection is best suitable for malicious phishing attachments. It is being adopted widely in the threat landscape due to its ease of use and effectiveness in comparison with other phishing attachment template injection techniques.
New insights
In a recent report, it has been revealed that APT groups from Russia, India, and China are exploiting the RTF Template Injection technique. This technique has been adopted by several financially-motivated threat actors as well.
- Researchers from Proofpoint have discovered three state-sponsored groups—Gamaredon (Russia), DoNoT (India), and TA423 (China)—using the RTF Template Injection technique.
- DoNoT and TA423 were the first to use this technique. They used RTF documents with malicious templates.
- DoNoT’s RTF Template Injection attacks started in March and continued till July, while TA423 attacks were spotted in September when they targeted Malaysian energy companies.
- Gamaredon, the group controlled by the Russian FSB intelligence, is the most recent APT actor to use this technique. In October, the group used RTF files pretending to be governmental files.
Conclusion
The effectiveness of template injection attacks may continue its adoption among APT groups, according to researchers. Moreover, botnet and ransomware groups may further adopt this technique. Thus, organizations are suggested to deploy network/host intrusion prevention systems and reliable anti-malware to stay protected.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_401493067.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/bec0_shutterstock_410460505.jpg)
