Detection of Remote Template Injection

Weaponized Microsoft Word Document with Embedded RTF Exploit

Overview

Weaponized Microsoft Word documents with embedded RTF (Rich Text Format) exploits are a common vector used by adversaries to deliver malware. These documents often exploit vulnerabilities in Microsoft Word or the underlying RTF processing libraries to execute arbitrary code on the target system. The embedded RTF exploit can be used to bypass security measures and deliver payloads such as malware, ransomware, or other malicious software.

How It Works

1. Document Creation: The adversary creates a Microsoft Word document that contains an embedded RTF object. This RTF object is crafted to exploit a vulnerability in the RTF processing library.

2. Exploit Delivery: The document is sent to the target via email, download link, or other means. When the target opens the document, the embedded RTF exploit is triggered.

3. Payload Execution: The exploit executes arbitrary code, which can download and execute additional payloads, such as malware or ransomware.

Example Scenario

Imagine an adversary sends a phishing email to a target with a subject line like "Important Document for Review." The email contains a Microsoft Word attachment named "Important_Document.docx." When the target opens the document, the embedded RTF exploit is triggered, and malware is downloaded and executed on the system.

Step-by-Step Demo

1. Set Up the Environment:

   • Create a Microsoft Word document that contains an embedded RTF object.

   • Use a tool like rtfgen to generate a malicious RTF file.

2. Create a Malicious RTF File:

   • Craft an RTF file that includes malicious code. For example, an RTF file that executes a command when opened.

3. Embed the Malicious RTF File in a Word Document:

   • Insert the malicious RTF file into a Word document.

4. Deliver the Document:

   • Send the document to a target system or open it in a controlled environment to observe the attack.

Example Code

Generate a Malicious RTF File

You can use a tool like rtfgen to generate a malicious RTF file. Here is an example of how to create a simple RTF file that includes a command:

from rtfgen import RtfDocument, RtfParagraph, RtfTextdef create_malicious_rtf(output_file):    doc = RtfDocument()    para = RtfParagraph()    para.add(RtfText("This is a malicious RTF file."))    para.add(RtfText("\\objdata \\objclass \\objemb \\objname \\objid \\objblip \\objext \\objbin"))    doc.add(para)    doc.write(output_file)create_malicious_rtf("malicious.rtf")

Embed the Malicious RTF File in a Word Document

1. Open Microsoft Word.

2. Insert the malicious RTF file as an object:

   • Go to Insert > Object > Create from File.

   • Browse to the malicious.rtf file and insert it into the document.

3. Save the Word document as malicious_document.docx.

Deliver the Document

Send the malicious_document.docx to a target system or open it in a controlled environment to observe the attack.

REFERENCES

• https://www.fortinet.com/blog/threat-research/cve-2017-11826-exploited-in-the-wild-with-politically-themed-rtf-document

• https://attack.mitre.org/techniques/T1221/