Phishing attacks by state hackers via new RTF template injection technique

Sicherheit (Pexels, allgemeine Nutzung)[German]Security vendor Proof Point observed three APT actors from India, Russia and China using a novel RTF template injection technique for phishing attachments to retrieve malicious content from a remote URL in 2021. The security researcher fear, that this technique will be misused soon by cyber criminals.


Security researchers at Proofpoint observed APT threat actors using a novel and easy-to-implement technique for phishing attachments in the second and third quarters of 2021. This technique, called RTF template injection, exploits legitimate RTF templates for malicious attacks. It allows a URL resource to be retrieved instead of a file resource via the control word function of an RTF template.

Loading malicious content from a URL
Loading malicious content via the RTF template file, source: Proof Point.

In this way, a threat actor can replace a legitimate file target with a URL from which a remote payload can be retrieved. In the blog post Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors, Proof Point describes its observations..

RTF Template Injection 

RTF template injection is a simple technique where an RTF file can be manipulated to retrieve content from an external URL when opened. By modifying the document formatting properties of an RTF file, specifically the document formatting control word for the "\*\template" structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination. The following dump shows such an injection of a URL in an RT file.

RTF-Template with malicious content
Manipulated RTF template file, source: Proof Point


The RTF template files with injected external URLs analyzed for this publication currently have a lower detection rate by antivirus programs – at least compared to the well-known Office-based template injection technique. Proofpoint has identified several phishing campaigns using this technique that have been attributed to various APT threat actors. While this technique appears to be making the rounds among APT actors in various countries, Proofpoint suspects it may soon be adopted by cybercriminals due to the recent rise in its use and the triviality of its implementation. Details can be found in the linked Proofpoint article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *