Weaponized files — files that are altered in order to infect a device — are one of the primary munitions in a digital adversary’s arsenal.
They are used in many ways. Security experts previously discovered threat actors using App Engine Google Cloud Computing Platform (GCP) to deliver malware via PDF lures, and further research revealed the use of image files such as png and jpeg to compromise Android devices.
While striking examples, these are ultimately just two drops in a larger ocean. From PDFs to image files to Microsoft Office documents, threat actors are using a variety of files containing code, links, and even videos to deploy malware, ransomware, Trojans, and remote access software to achieve their goals. To make matters worse, it has become increasingly difficult to determine what is and is not a threat.
Attackers are getting smarter about how and where to route their attacks, whether it’s network downloads, shared drives, or even attached files to intercept and/or legitimate-looking text message feeds and email threads.
In this latest column, we’ll be focusing specifically on template injection techniques that leverage weaponized decoy documents, especially since the Menlo Labs team has recently witnessed a surge in such attacks.
What is template injection technique?
Template injection techniques are nothing new. New is the use of template injection in highly evasive adaptive threat (HEAT) attacks.
In 2007, Microsoft introduced new file formats for Word, Excel, and PowerPoint based on the Office Open XML File Format specification, providing the ability to embed resources in documents.
Unfortunately, attackers have been able to host malicious templates by injecting URLs that host malicious templates in XML files by exploiting a method called relationships introduced by this change (used to form connections between source and target resources in XML files) .
What makes template injection a particularly attractive technique for attackers is that suspicious indicators like macros need not be present in the document before a malicious template can be obtained.
This means that the weaponized template injection document is ostensibly benign, with no trace of malicious URLs or exploit markers. As such, they are likely not detected by many security detection techniques, making them ideal for deployment via email attachments.
Why is this a problem? At many companies that use email scanning technology as their first line of defense, employees may believe that only secure emails reach their inboxes. They may be lured into a false sense of security as weaponized injection templates slip through the web.
At Menlo Security, we’ve even seen adversaries successfully hijacking existing email thread conversations to convince victims of the legitimacy of an attached weaponized template injection document.
Template injection attack in action
The Menlo Labs team has recently witnessed various template injection attacks, a classic example of which is the use of spoofed Microsoft URLs to trick victims into downloading malicious templates.
In these cases, we saw documents downloading malicious dotm templates from specialized URLs, which then downloaded malware to victim endpoints, using image steganography to hide the payload in images captured by the James Webb Telescope.
The “Folina” zero vulnerability (CVE-2022-30190) is the second example. A vulnerability exists in the Microsoft Support Diagnostic Tool (MSDT) that a threat actor has been able to host at a public-facing external URL and then inject the vulnerability into a document marked with a vulnerability marker “!”. at the end of the URL used to trigger the template. In one attack we witnessed, the document claimed to be a “VIP invitation to Expo 2023 in Doha”.
Third, the Menlo Labs team also saw the notorious Advanced Persistent Threat (APT) group Patchwork exploit template injection attacks. Use weaponized documents downloaded by potential victims from the URL: “http://office-fonts[.]herokuapp[.]com/en-us”, claiming to be from the “Ministry of Defense of Pakistan” and any victim will face downloading the password-protected PDF file “Scan03.pdf”.
Notably, the URL used in the attack was hosted on the domain cloud platform “Heroku”. Using benign or reputable malware to deliver malware in this way is a known HEAT technique known as Legacy URL Reputation Evasion (LURE) or Leaving Out of Trusted Sites (LOTS).
Mitigate advanced threats
In recent months, we have seen numerous other examples of targeted attacks using weaponized template injection documents.
In August 2022, Morphisec published details of the DoNot team’s latest spear-phishing email campaign, which used RTF template injection files to attack targeted government sectors, such as the Pakistani defense sector.
Additionally, PricewaterhouseCoopers and Proofpoint released details of attacks carried out by the TA453 group in July and September 2022, efforts that leveraged a Microsoft Word document dropper using remote template injection to obtain and execute malicious macros.
Meanwhile, in a recent post from September 2022, Cisco published details about the Gamaredon APT targeting Ukrainian government agencies using phishing emails to send Microsoft Office documents containing remote templates with malicious macros .
Based on the nature of these attacks, we assess with high confidence that template injection attacks will continue to increase and even be used for dynamic loading exploits.
To mitigate the threat of template injection attacks, we recommend that organizations consider isolation techniques. Used to ensure that all documents are opened in cloud containers away from user endpoints, it is a solution to convert any file into a safe and viewable version until any active or malicious content is stripped and deleted.
Traditional tools no longer provide adequate protection against advanced threats such as template injection attacks. Organizations need modern defenses.