How to Analyze RTF Template Injection Attacks

Umut Tosun
Posted:
January 21, 2022
Home
Posts
Incident Responder
How to Analyze RTF Template Injection Attacks
Contents

Proofpoint security researchers state that cyber attack groups have adopted a new technique called "RTF Template Injection" and reported that this technique has a low detection rate. It is also included in the report that phishing attacks were carried out on many institutions with the help of RTF Template Injection technique in 2021 by cyber threat groups in India, China and Russia.

Let's take a look at what this technique is, how it is exploited by attackers, how to analyze a file with RTF format and how to detect RTF Template Injection attacks.

What is RTF Template Injection?

Rich Text Format (RTF) is a file format that determines how texts are formatted. It was developed by Microsoft between 1987-2008. You can find Rich Text Format (RTF) Version 1.5 specifications here.

rtf file properties

RTF file format consists of unformatted text, control words, control symbols and groups. RTF readers use them to allow the text to be displayed in a certain format.

The RTF template control word is used to specify how to format the document using the specified template. The specified templates are usually located on the local device. However, attackers exploit the RTF template feature to download malicious payloads from a remote server under their control.

How Attackers Leverage RTF Template Feature?

In order to perform a successful analysis, we must first understand how the attack takes place. Let's take a look at how attackers exploit the RTF template feature.

When we examine the Rich Text Format v1.5 specifications, we see that there are many control words for formatting the document. When we look at the "\*\template" control word, we see that this control word is used to specify the target template file so that the document can be formatted.

The attackers are able to download the malicious payload from the URL they provided by using the "\*\template" control word. For this, the attackers give the URL addresses of the servers under their control instead of a legitimate template file, causing the download of the malicious payload as soon as the file is opened. All attackers have to do to make the RTF document malicious is to insert the "\*\template" control word with any Hex Editor tool. Attackers can add the "\*\template" control word to the document with the help of the Hex Editor, or they can change the RTF document properties with the "\*\template" control word so that the malicious payload is downloaded when the document is opened.

In the article published by Proofpoint, it is stated that the “DoNot” attacker group added the "\*\template" control word to the List Overwrite Table, the “TA423” attacker group added it by replacing the pre-existing font family control word, and the “Gamaredon” attack group added it through the same method as the “DoNot” attack group.

When the samples examined where “DoNot”, “TA423” and “Gamaredon” attack groups use the RTF Template Injection technique, “TA423” and “Gamaredon” attack groups used the URL with malicious payload as plain text; and “DoNot” attack group used Unicode signed character notation.

DoNot APT Group sample
DoNot APT Group Sample - 03674b4f49ea0fef46fd83d5cdb27443

How to Analyze RTF Files?

Now that we understand how the attack happened, we can move on to how to analyze a suspicious RTF document.

First, we need to confirm whether the sample we have is really a file with RTF format.

You can confirm the document whether it is indeed in RTF format or not by checking the magic byte value of the sample you have. You can confirm that it is an RTF file if the magic byte value of the file is the same as the magic byte value of the RTF format ({\rtf ). The extension of files with the RTF file format is ".rtf". However, there is no guarantee that the file is an RTF file based on the file extension alone. For this reason, it would be more accurate to do your checks over the magic byte.

As we mentioned in our article, the "\*\template" control word must be added to the RTF document by the attackers in order for the RTF Template Injection attack to take place. Since this step is necessary for the attack to be successful, you can search for the "\*\template" control word while tracking the traces of the RTF Template Injection attack in the sample you have. We cannot look at a specific part of the file as this control word has no specific offset. We need to do our search within the entire file.

Almost all Hex Editors allow searching within the file. You can make your searches using this feature of Hex Editors.

If you do not have the chance to use the Hex Editor, you can find the "\*\template" control word by searching among the strings in the file with the help of tools such as Bin Text, strings.

BinText

As we mentioned in our article, attackers can add URL addresses as plain text or unicode signed character notation. For this reason, you may need to decode it to obtain the URL address. After obtaining the URL address added by the attacker, you should continue the analysis by analyzing the malicious payload.

Using the dynamic analysis method when analyzing RTF files will allow you to detect the malicious URL address faster. You can detect the sent HTTP request faster by using network capture applications.

APT Groups

Some of the cyber threat groups using the RTF Template Injection technique are as follows:

  • Gamaredon
  • DoNot
  • TA423

Although the attack groups using the RTF Template Injection technique are limited at the moment, it will not take long for groups to adopt the RTF Template Injection technique just like other groups like “APT28”, and “Inception”.

Mitre ATT&CK

https://attack.mitre.org/techniques/T1221/

TacticTechniqueDefense Evasion (TA0005)Template Injection (T1221)

Yara Rules

You can create YARA rules to detect RTF Template Injection attacks. Below are the YARA rules prepared by Proofpoint:

{
	meta:
		author = "Proofpoint Threat Research"
		description = "Detects malicious RTFs using RTF Template Injection to Retrieve
		Remote Content from a URL"
		disclaimer = "Yara signature created for hunting purposes - not quality controlled
		within enterprise environment"
		hash1 = " 43538d9010462668721f178efaeca89f95f6f35a "
		hash2 = " b5ec74e127ce9dfcb1b3bd9072c1d554b59b4005 "
	strings:
		$rtf = { 7b 5c 72 74 66 } //rtf_bytes
		$s1 = "{\\*\\template http" ascii nocase //https_intentionally_not_specified      
	condition:
		$rtf at 0 and $s1
}

rule Proofpoint_RTFtemplateInjection_Technique_Generic_Unicode_16Bit
{
	meta:
		author = "Proofpoint Threat Research"
		description = "Detects malicious RTFs using RTF Template Injection to Retrieve Remote
		Content from Unicode 16 Bit Encoded URL"
		disclaimer = "Yara signature created for hunting purposes - not quality controlled
		within enterprise environment"
		hash1 = " fbc8064399008fe20f350f0de5e4bbf5833847c7 "
		hash2 = "6c01fe16e8cffa3049e84707672b82dc32f1cf72 "

	strings:
		$rtf = { 7b 5c 72 74 66 } //rtf_bytes
		$s1 = {7B 5C 2A 5C 74 65 6D 70 6C 61 74 65 20 0D 0A 5C 75 2D } //{\*\template \u-   
	condition:
		$rtf at 0 and $s1
}

Reference

https://www.proofpoint.com/us/blog/threat-insight/injection-new-black-novel-rtf-template-inject-technique-poised-widespread

Share
letsdefend description card

You might also be interested in ...

Start learning cybersecurity today