Security News > 2021 > December > Hackers Increasingly Using RTF Template Injection Technique in Phishing Attacks

Three different state-sponsored threat actors aligned with China, India, and Russia have been observed adopting a new method called RTF template injection as part of their phishing campaigns to deliver malware to targeted systems.

"RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file," Proofpoint researchers said in a new report shared with The Hacker News.

At the heart of the attack is an RTF file containing decoy content that can be manipulated to enable the retrieval of content, including malicious payloads, hosted at an external URL upon opening an RTF file.

Specifically, it leverages the RTF template functionality to alter a document's formatting properties using a hex editor by specifying a URL resource instead of an accessible file resource destination from which a remote payload may be retrieved.

It's therefore not surprising that the technique is being increasingly weaponized by threat actors to distribute malware.

Proofpoint said it observed Template injection RTF files linked to the APT groups DoNot Team, Gamaredon, and a Chinese-related APT actor dubbed TA423 as early as February 2021, with the adversaries utilizing the files to target entities in Pakistan, Sri Lanka, Ukraine, and those operating in the deep water energy exploration sector in Malaysia via defense-themed and other country-specific lures.

News URL

https://thehackernews.com/2021/12/hackers-increasingly-using-rtf-template.html