APT teams from Russia, China, and India have adopted a brand new and simply applied phishing methodology all through the second and third quarters of this yr that researchers say is poised for broader adoption amongst cybercriminals as nicely.
The Proofpoint analysis workforce noticed rising adoption of the so-called RTF (wealthy textual content format)-template injection method amongst APT teams from February 2021 by means of April 2021. Whereas the tactic is not essentially new — different safety researchers noticed it as early as January — at the moment’s findings mark a renewed surge of the assault method.
RTF template injection is a method wherein an RTF file with decoy content material might be modified to retrieve content material hosted at an exterior URL when the RTF file is opened. By altering doc formatting properties of an RTF file, the attacker can weaponize it to entry distant content material by specifying a URL useful resource as an alternative of an accessible file vacation spot, researchers wrote in a weblog.
Previously, use of embedded malicious RTF objects has been well-documented as a vector for delivering malware utilizing RTFs, they famous. This system is extra simplistic and, in some methods, simpler for delivering distant payloads in contrast with earlier documented strategies.
“RTFs are inherently extraordinarily versatile file sorts that of their file structure accommodate a number of objects and vacation spot fields the place a risk actor can retailer a malicious URL or file to retrieve a distant payload,” explains Sherrod DeGrippo, vp of risk analysis & detection at Proofpoint.
Additional, RTF recordsdata retailer their properties as plaintext strings throughout the bytes of a file to take care of file formatting throughout doc editors, she provides.
“Which means that weaponizing a file is so simple as making a lure file in a doc editor and opening up your hex editor and changing sure file bytes with the bytes representing a malicious URL vacation spot,” DeGrippo says.
Of their writeup, researchers say it is “trivial” to change the bytes of an RTF file to insert a template management phrase vacation spot together with a URL useful resource. This might enable the RTF file to retrieve a URL useful resource as a vacation spot, moderately than a file, because the RTF construction intends. They be aware this methodology can be utilized in .rtf and .doc.rtf recordsdata, enabling profitable retrieval of distant payloads.
The pattern RTF template injection recordsdata Proofpoint analyzed at present have a decrease detection fee amongst public antivirus engines in contrast with the well-known Workplace-based template injection method, DeGrippo notes.
After they open the phishing attachment, a sufferer of considered one of these assaults will briefly see a “contacting the server for data” message, which they might not see for a standard Phrase or RTF file. If the management Phrase group was not correctly bracketed, an error message could seem, however this doesn’t occur in all circumstances.
A New Pattern Amongst APT Teams
Proofpoint has noticed three major variations of this tactic within the wild amongst APT teams, DeGrippo says, however the three teams utilizing it abuse the core performance in the identical manner.
Template injection RTF recordsdata attributable to the APT group DoNot workforce, suspected of alignment with Indian-state pursuits, had been noticed by means of July 8, 2021. RTF recordsdata “probably attributable” to a Chinese language-related APT attacker known as TA423 had been seen as lately as Sept. 29 and focused organizations with hyperlinks to Malaysian deep-water vitality exploration, researchers famous. Apart from this, they don’t have data to share on concentrating on patterns.
In a while, they noticed the APT Gamaredon, linked to the Russian Federal Safety Service (FSB), utilizing RTF template injection recordsdata in assaults that used Ukrainian authorities file lures on Oct. 5, 2021. This system appeals to APT teams as a result of it is comparatively simple and stealthy.
“APT actors, regardless of the ‘superior’ designation, if they’re doing their job nicely will exert the least quantity of assets and class crucial to achieve entry to organizations,” says DeGrippo. This prevents the attackers from exposing their refined instruments in the event that they’re caught, which might trigger an even bigger operational disruption by way of changing technical capabilities.
The benefit of RTF template injection is each its ease of weaponization and the fact that many organizations do not block RTF recordsdata by default, she continues. “They’re a part of typical enterprise operations,” she provides.
Proofpoint believes this system has been beforehand utilized in a restricted capability by crimeware attackers. Nonetheless, they are saying the convenience of weaponization will probably entice low-sophistication attackers and finally drive situations of this system within the wild. It’s potential attackers will deliver RTF template injection into their present phishing toolkit as a method of accelerating their success amid ongoing operations, DeGrippo says.
Preventing Towards Phish
In a brand new report, Forrester analysts element the traits of profitable phishing assaults and share their recommendation for organizations looking for to up their defensive methods.
“Even educated cybersecurity professionals might be victimized by well-crafted phishing emails, so it is not shocking that customers do not acknowledge each assault aimed toward them,” they wrote.
Their suggestions embrace implementing technical controls, equivalent to e-mail content material filtering and e-mail authentication, to guard customers. Analysts additionally advise offering ongoing safety consciousness coaching to show customers not solely learn how to acknowledge suspicious emails but additionally learn how to deal with them after they’re noticed. Take a look at workers usually and measure their efficiency, they advise.
Nonetheless, it is sensible to plan for technical human failure. Some emails will slip previous your defenses; you possibly can restrict the influence of an assault with browser isolation expertise, multifactor authentication, and a usually reviewed incident response plan.