Technical Analysis of RTF Template Injection Attack

RTF Template Injection Attack involves exploiting vulnerabilities within Rich Text Format (RTF) files to inject malicious content, such as scripts or macros. When these compromised RTF files are opened by users, often through email attachments or downloads, the embedded malicious code executes, potentially leading to system compromise or unauthorized access. This attack vector leverages the trusted nature of document files, making it particularly dangerous as users may unwittingly trigger harmful actions simply by opening what appears to be a benign document.

File Details:

Hash     : 694d433a729b65993dae758e862077c2d82c92018e8e310e121e1fa051567dba
Magic    : Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Filename : APT-C-35.doc
FileType : Rich Text Format
Size     : 35.06 KB (35898 bytes)

Infection Chain:

Here, the attacker initiates the attack by sending a phishing email to the targeted victim, attaching an RTF document that exploits the CVE-2017-11882 vulnerability. This vulnerability allows the document to execute arbitrary code when opened. Analysis of the attack behavior indicates that it is associated with the DoNot APT group. The malicious RTF document contains an embedded URL designed to trigger the download and execution of a payload file, thereby performing the cyber attack on the victim's machine.

Statical View of the RTF File Format:

The RTF file format comprises unformatted text, control words, control symbols, and groups. RTF readers utilize these elements to render text in specific formats.

Control words in the context of RTF (Rich Text Format) are commands used to specify formatting and other instructions within an RTF document. These control words are preceded by a backslash () and are followed by optional parameters enclosed in square brackets ([]).

For example, \b is a control word used to indicate the start of bold text, while \par is used to insert a paragraph break. Control words enable the RTF reader to interpret and display the text according to the specified formatting and layout instructions.

Why It’s Called a Template Injection Attack?

In an RTF (Rich Text Format) document, the template feature allows the document to link to external templates for additional formatting or content. Attackers exploit this functionality by embedding a reference to a malicious external template within the RTF document. When the document is opened, the RTF reader follows the embedded reference and loads the external template, which contains the malicious payload. This leads to the execution of harmful code on the victim's machine.

In the sample, we can observe the control word *\template followed by the obfuscated functions.

Let's examine the dynamic view of the RTF file.

Upon opening the RTF file, a dialog box appears within 2 seconds, indicating that it is attempting to open an external URL with a .dot extension. The URL is randomized and unsecured. Afterward, an empty RTF file opens while, in the background, the malicious URL attempts to connect and initiate its infection. This is not the normal behavior of an RTF file.

Common APIs used by DoNot APT Group:
CreateFileW, CopyFileExW, CreateDirectoryW, DeleteFileW, WriteFile, ReadFile

HTTP Response Action:

Obtained URL and it’s Sandbox Results:

Conclusion:

In summary, understanding RTF Template Injection Attacks is crucial for identifying and mitigating this sophisticated threat. By examining the infection chain and conducting a detailed technical analysis of the file, we can better defend against such attacks and enhance our overall cybersecurity posture.

Happy Hunting !!