Make sure that your Word has the patch. Sometimes files that appear to have extension. There are ways to protect yourself anyway. If a malicious person wanted to trick you, they could name a dangerous file with an extension of. That's why I don't list this file format as "Quite safe.
At the current time, Word doesn't distinguish between the. Viruses have been circulated in them before. So, if a malicious person created a virus-infected. Thus, if I see a file with extension. The Malaysian-themed RTF template injection file successfully loaded in Microsoft Word without displaying error messages or displaying the URL downloading content message.
Additionally, it includes a single line referencing the National Palace in Kuala Lumpur. At the beginning of October , Proofpoint researchers identified public samples of Gamaredon RTF template injection documents which impersonated the Ukrainian Ministry of Defense. The files communicate with the domain pretence These Office files communicate with actor infrastructure using a URI pattern previously observed among Gamaredon malicious Microsoft Office phishing documents.
Additionally, in several instances the resources retrieved delivered an MP3 file as a delivery resource. The combination of these shared delivery domains, use of known Gamaredon remote template injection document techniques, social engineering lures impersonating governmental organizations within the groups primary area of responsibility, and the URI patterns across both RTF and Office template injection files allowed researchers to attribute the samples to Gamaredon.
Researchers note that several of these Office remote template injection documents were identified in open-source in relation to Gamaredon on October 6, The RTF template injection files observed in use by the Gamaredon group notably includes the template control word in the same group as DoNot Team malicious files. Gamaredon, however, opts to include the URL in plaintext rather than using signed bit Unicode values.
The actor may be comparing the effectiveness of their efforts that utilize diverse attachment files to gauge the efficacy of their phishing tactics as they stage new campaigns. While Proofpoint cannot definitively determine where Gamaredon may have encountered this RTF template injection technique, the inclusion of the template control word within the style filter section of the document suggests that they may be replicating capabilities encountered in open-source that were previously used as part of the DoNot Team campaigns earlier in Figure The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector.
The innovation by threat actors to bring this method to a new file type in RTFs represents an expanding surface area of threat for organizations worldwide. Ultimately this is a technique poised for wider adoption in the threat landscape beyond targeted phishing attacks with likely adopters being crimeware actors. While Indian and Chinese APT actors have demonstrated an affinity for RTF file types in the past by using RTF weaponizers like the tool Royal Road , defenders eventually saw those tools and techniques become widely used by less sophisticated actors.
This well-established trickle-down pattern may be accelerated in this case based on the minimal effort needed to weaponize RTF attachments before deploying in active phishing campaigns. Threat Insight. December 01, Michael Raggi. Key Takeaways RTF template injection is a novel technique that is ideal for malicious phishing attachments because it is simple and allows threat actors to retrieve malicious content from a remote URL using an RTF file.
Proofpoint has observed three APT actors from India, Russia, and China using this technique in , targeting a variety of entities likely of interest to their respective states. RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques.
Overview Proofpoint threat researchers have observed the adoption of a novel and easily implemented phishing attachment technique by APT threat actors in Q2 and Q3 of Figure 2. Figure 3. Figure 4.
Figure 5. Outlook on Windows 10 We use a tool that creates files with a pretty long filename. Thanks and Kind regards, Manuel. This thread is locked. You can follow the question or vote as helpful, but you cannot reply to this thread. I have the same question 0. Report abuse. Details required :. Cancel Submit.
Diane Poremsky MVP slipstick.
0コメント