An attack technique, called the RTF Template Injection, is reportedly leveraged by state-sponsored threat groups, best known as advanced persistent threat (APT) groups from China, India, and Russia, making attacks harder to be detected and disrupted by authorities.
Aside from the state-sponsored threat groups, experts also anticipate that financially-motivated threat groups will exploit the technique soon.
According to security experts, the RTF Template Injection attack technique is not considered new, and it has long been included in the classic template injection attack variation for several years now. It has also long been included in the MITRE ATT&CK framework and knowledge base.
A specific feature of Microsoft Office is what the attack technique typically exploits, particularly where users can create documents from pre-defined templates that are extracted from a remote server to launch the ‘remote template injection’ attacks.
The attack typically starts by sending malicious MS Office files to the unaware victims, such as Word, Excel, or PowerPoint. Then, they load the malicious code from the pre-defined templates upon the file required to render its content.
The Remote Template Injection became a prevalent attack technique amongst APT groups, especially in 2020, when experts saw a surge of exploit in it.
The attacks observed by security analysts seem to exploit MS Word documents the most, among the other Microsoft Office software. Nonetheless, with the new variation that threat actors use, they started launching attacks using Windows RTF (rich text format) files instead of Word or other MS Office software. Using the Windows RTF supports the arrangement of content using a pre-defined template via remote URL.
With the RTF files, threat actors gather them together with lures that may pique the interest of their targeted victims. Then, they will create a template containing malicious codes that enable the malware to run and edit the RTF files to load the template upon the victims opening the malware-infected file.
Through email spear-phishing, threat actors send malicious documents to the targeted victims, luring their interest to eventually opening them.
The experts have identified the APT groups to have been leveraging the attack technique include TA423 from China, DoNot from India, and Gamaredon from Russia.
Security experts conclude that for now, the use of RTF remote template injection attacks will remain active among threat groups, especially since Microsoft Office remote template injection attacks have been proven effective for many years.
