RTF Template Injection
Industry: Energy (Deepwater) & Government | Level: Tactical | Source: ProofPoint
Proofpoint has observed increased usage of RTF template injections from threat actors TA423, DoNot Team, and Gamaredon since as early as February 2021 with files publicly identified on April 5th. The template injections enables the threat actor to alter the RTF file's control word structure to substitute a legitimate file destination with a URL that could download a malicious payload. Detection rates for this technique have so far been low. The APT groups have been targeting various organizations and countries with this technique. APT group DoNot Team and TA423 are both associated with targeting Malaysia's Deepwater energy exploration, while APT actor, Gamaredon, targeted the Ukrainian government.
- Anvilogic Use Cases:
- Malicious Document Execution
- Abuse EQNEDT32.EXE CVE-2017-11882