Understanding How Weaponized Template Injection Attacks Operate
By Brett Raybould, EMEA Solutions Architect, Menlo Security
Malicious payloads are one of the leading challenges facing organizations today.
From government agencies to large corporations and startups alike, enterprises of all shapes and sizes are confronted with the reality that one small error could provide attackers with the opportunity to inflict immense digital damages.
Faced with the threat of weaponized files, security professionals need to be increasingly vigilant. Be it malware, ransomware, remote access software, trojans or other tools, attackers are working tirelessly to find new ways of achieving their malicious objectives.
From image files like pngs and jpegs being used to compromise Android devices, to PDF decoys being leveraged to deliver malware, to a variety of endpoint devices, the threat landscape is becoming increasingly complex and volatile. Today, it is harder than ever for firms to determine what is a threat and what is not.
Here, we’ll be diving deep into the recent uptick in usage of weaponized decoy documents that are being used to execute template injection attacks – activity that the team at Menlo Labs recently spent significant time tracking and analyzing.
An example of the rise in HEAT techniques
Template injection techniques began to emerge after Microsoft introduced new file formats for Word, Excel and PowerPoint based on the Office Open XML File Format specification back in 2007, this update making it possible to embed resources directly within a document.
With these changes came the introduction of ‘relationships’ – a method used to specify the connection between a source part and a target resource, with these being stored within XML parts (for example, /_rels/.rels) in the document package.
Unfortunately, threat actors have found ways to inject a URL hosting the malicious template into an XML file and in turn execute living off the land (LotL) attacks — a type of attack that uses legitimate software to perform malicious actions.
Adversaries can inject a malicious URL into a specific document to render a template hosted on a local or remote machine. When opened, the weaponized document will attempt to download and execute a malicious template.
What makes template injection attacks particularly dangerous to organizations is the fact that the attack doesn’t have to include suspicious indicators like macros in the documents, features that would typically be picked up by security detection engines, until the malicious template is fetched.
To such security tools, weaponized documents can appear to be completely benign. Often, they do not show any trace of malicious URLs or exploit markers.
Indeed, they are a prime example of a popular Highly Evasive Adaptive Threat (HEAT) technique, Legacy URL Reputation Evasion (LURE), these using websites with a good reputation by web filters to deliver malware.
Observing a variety of template injection attacks
In taking the time to observe template injection attacks, the Menlo Labs teams identified several varied examples being pursued by different threat actors.
The first example comes from threat actors that used masqueraded Microsoft URLs in order to coerce its targeted victims into downloading a malicious template. Specifically, documents were used to download a dotm template from a specialized URL that was in turn used to download malware onto a victim’s endpoint. In this specific example, the payload was even hidden in an image taken by the James Webb Telescope using image steganography.
We also saw the infamous advanced persistent threat (APT) group Patchwork deploying its own template injection attacks, using a weaponized document that claimed to be from Pakistan’s Ministry of Defense. Any victim that downloaded the document would see a password protected PDF file, titled “Scan03.pdf”, being downloaded.
Victims were prompted to download the original file from the URL “http://office-fonts[.]herokuapp[.]com/en-us”, this being of particular interest. Indeed, the use of benign or reputable domains is an example of LURE in action.
Thirdly, our experts observed the manipulation of the “Follina” Zero Vulnerability (CVE-2022-30190) in the Microsoft Support Diagnostic Tool (MSDT). Here, threat actors were able to host the exploit in an external public-facing URL, this in turn being injected into a document with an exploit marker “!” that was used to trigger the template.
Embracing modern security solutions is critical
While we have given a flavor of the diverse methods that threat actors can pursue in actioning template injection attacks, these are just a handful of examples in a much broader ocean of potential threats.
Indeed, in September 2022 alone, PwC and Proofpoint posted details on attacks carried out by the TA453 group that used remote template injection to obtain and execute a malicious macro, while Cisco also made a statement explaining how the Gamaredon APT targeted Ukrainian government agencies with phishing emails to deliver remote templates with malicious macros.
Unfortunately, it is unlikely that these attacks will be subsiding anytime soon. In fact, I can say with confidence that template injection attacks are likely to grow further, and even be used to load exploits on the fly.
It is therefore imperative that organizations take the necessary steps to protect themselves, isolation standing as a sound starting point for holistic protection.
Specifically, isolation will ensure that all documents, whether they are malicious or not, are opened in a cloud container that’s separated away from the user’s endpoint device. Doing so ensures that any files are converted into a safe and viewable version until any active or malicious content is stripped away.
Measures such as these are undoubtedly necessary in the modern day. Threat actors are continuing to find new and effect routes around legacy technologies. To mitigate the threats of new techniques, organizations must embrace modern security solutions.
About the Author
Brett is passionate about security and providing solutions to organisations looking to protect their most critical assets. Having worked for over 15 years for various tier 1 vendors who specialise in detection of inbound threats across web and email as well as data loss prevention, Brett joined Menlo Security in 2016 and discovered how isolation provides a new approach to actually solving the problems that detection-based systems continue to struggle with.