This enables a threat actor to replace a legitimate file destination with a URL from which a remote payload may be retrieved. It subverts the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via an RTF’s template control word capability. This technique, referred to as RTF template injection, leverages the legitimate RTF template functionality. Proofpoint threat researchers have observed the adoption of a novel and easily implemented phishing attachment technique by APT threat actors in Q2 and Q3 of 2021. RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques.Proofpoint has observed three APT actors from India, Russia, and China using this technique in 2021, targeting a variety of entities likely of interest to their respective states.RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file.
0 kommentar(er)
