Security News > 2021 > December > State-backed hackers increasingly use RTF injection for phishing
Three APT hacking groups from India, Russia, and China, were observed using a novel RTF template injection technique in their recent phishing campaigns.
Researchers at Proofpoint spotted the first cases of weaponized RTF template injection in March 2021, and since then, actors have been steadily optimizing the technique.
When creating RTF files, you can include an RTF Template that specifies how the text in the document should be formatted.
As these files are transferred as RTF Templates, they are more apt to bypass the detection phishing lures as they are not initially present in the RTF files.
Creating remote RTF Templates is very simple as all a threat actor has to do is add the command into an RTF file using a hex editor, as shown below.
Proofpoint also shared YARA signatures that admins can use to detect RTF files modified to include remote RTF Templates.