Camouflaged URLs in template injection attacks

Executive Summary

The Menlo Labs research team recently published a blog on how weaponized template injection documents work and how to prevent them. Unless they have specific traces like malicious URLs or exploit markers, they often go undetected by security scanners.

As we continued our research into template injection attacks, we stumbled across several weaponized documents with an interesting camouflage technique hiding the URL to the naked eye. The documents contained a decimal IP address or used an obscure URL format for fetching the remotely hosted template.

As we mentioned in our previous post, the attacks are also noteworthy for the following reasons:

• They use camouflaged template injection URLs to bypass file-based content inspection engines that look for URL-based patterns in a technique the Menlo Labs team has termed Legacy URL Reputation Evasion (LURE), an example of a Highly Evasive Adaptive Threat (HEAT) technique.
• Adversaries can inject a malicious URL in the document to render a template hosted on a local or remote machine. This weaponized document, when opened, attempts to download and execute the malicious template. This attack kill chain of loading the payload is also classified as a Living off the Land (LotL) attack — an attack using legitimate software to perform malicious actions.

This blog details our findings on the camouflaged template injection attacks.

Different IP Address Notations

Usually, an IP address is represented with a dotted-decimal notation in the format XXX.XXX.XXX.XXX. Alternatively, IP addresses can also be represented using different notations.

Let’s show the different notations for IP addresses using an example of a google.com IP address, 42.250.199.142 (at the time of this writing):

• Octal notation: IP address represented in the octal number system → 0052.0372.0307.0216. This can also be represented as 05276543616. Since the leading 0 is used as an interpreter maker for an octal representation, any number of 0s can be added. For example, 0000000000005276543616 or 0052.0372.0307.000000000216.
• Hexadecimal notation: IP address represented in the hexadecimal number system → 0x2afac78e. This can also be represented as 0x2a.0xfa.0xc7.0x8e.
• Decimal/DWORD notation: IP address represented in the decimal number system without the dots → 721078158
• Binary notation: IP address represented in the binary number system → 10001110.11111010.11000111.10001110
• Encoded notation: IP address represented in a URL-encoded IP address → %34%32%2E%32%35%30%2E%31%39%39%2E%31%34%32
• Mixed notation: IP address represented with a combination of the different notations mentioned above → 0x2a.0372.199%2E%31%34%32

In addition to the above, there is another notation, 0 optimized dotted-decimal notation, in which the 0s in an IP address are either suppressed or compressed.

For this example, let’s take the default gateway IP address used by routers: 192.168.0.1. The list below shows representations of 0 in the IP address that are optimized:

• 192.168.1
• 192.168.000000000000.0000000001
• 192.168.00000001

By default, most of these notations (except for the binary notation) are accepted by browsers. Using such notations can evade file-based content inspection engines, which look for a valid URL format.

Sounds complicated? Interesting? Wait!!!

It’s not over yet! Let’s dig into another part of this Pandora’s box.

Misleading URI-Based Semantic Attacks

While the IP address notations already pose a challenge to file-based content inspection engines, the use of obscure URLs makes inspection even more challenging. This method involves the use of the “@” userinfo subcomponent in the Uniform Resource Identifier (URI) schemes. Using this character, an obscure URL format or misleading URI can be created in the URI generic syntax format, leading to URI-based semantic attacks. For a better understanding, let’s take the same example of the google.com IP address. An example of a misleading URI can be https://[email protected]. This URL, when visited via the browser address bar, will resolve to google.com.

Here, “@” functions as a delimiter ignoring “test” and resolving to google.com. Additionally, it must also use the “://” authority component for creating a misleading URI.

The same functionality works for any number of “@” iterations:

• https://test!@test!@test!@test!@test@test@test@[email protected]
• https://@@@@@@@@@@@@@@@@@@@@@@@@@@@@@google.com
• https://@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@google.com
• https://@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0x8efac78e

This can also be performed with octal, hexadecimal, and decimal notations, such as https://test@0x8efac78e and https://@721078158. This turned out to be an interesting experiment for us. We identified that, except for the standard dotted-decimal notation, the octal, hexadecimal, and decimal/DWORD notations were treated as invalid links by most applications.

In addition, an attacker can also mask the malicious URL behind a benign URL. Let’s take a look at the following URLs as examples:

• https://192.168.1@0x2afac78e
• https://[email protected]
• https://[email protected]

In all these examples, the URLs resolve to google.com — 192.168.1, 192.168.0.1, and youtube.com are not the actual URLs.

Camouflaged URLs

The use of browser-supported nonstandard IP notations and a misleading URI acts as camouflage.

An attacker can use the following methods to bypass content inspection engines that check for URLs:

• Create a link with octal, hexadecimal, or decimal notations, thereby making an application treat the link as an invalid link.
• Create a link with a misleading URI (semantic attack) by using octal, hexadecimal, or decimal notations.
• Create a link with a misleading URI (semantic attack) by masking a malicious URL with a benign URL.

These attacks are not new and have been used for more than a decade. In September 2020, Trustwave published details citing examples of such URL evasions. They explained the use of an encoded hexadecimal IP address format and a URL semantic attack that masked a shortened URL.

Camouflaged URLs in Template Injection Attacks

During our research, we identified camouflaged URLs used in weaponized template injection documents.

The templates were hosted in camouflaged URLs that were using the following:

• Decimal notation
• Misleading URI (semantic attack) with decimal notation

We will share examples of these notations identified in our analysis.

Decimal notation

The document we analyzed that used decimal notation URLs also contained several “.” and “-” characters as camouflage (see Figure 1).

The details of the file are as follows:

• File name: Axis Bank – 67 Account Pending List – 22.09.2022.docx
• Hash- b9cb173c049ab9d289dfde58cfd96cf4)
• Path → word_rels\webSettings.xml.rels.
• Template URL – http[:]//1806450061/…———————-……………..———————–……——-/……….650[.]doc

The decimal/DWORD 1806450061 in the URL is the equivalent of 107.172.61.141 in a dotted IP address format.

Misleading URI (Semantic Attack) with Decimal Notation

Another similar-looking document used the same decimal notation URL with several “.” and “-” characters. In addition, the attacker crafted a misleading URI semantic attack (see Figure 2).

The details of the file are as follows:

• File name: TT details.docx
• Hash- e732f54857ee57bebe19fb6f3954114c
• Path → word_rels\webSettings.xml.rels.
• Template URL – http://users@1806450061/..———..————–—-——_————/………………………….89.doc

As explained earlier, “@” functions as a delimiter ignoring “users” and taking “1806450061” into consideration. This resolves to the dotted IP address format 107.172.61.141.

Revealing the Camouflage

Now the question is: Does this camouflage reveal automatically, without user intervention? The answer is Yes.

In both cases mentioned previously, upon opening the weaponized document, the camouflaged URL reveals itself and fetches the template from 107.172.61.141. An example of the packet capture during the execution of one such weaponized document is shown below (see Figure 3).

The weaponized documents downloaded a template containing an RTF exploit, CVE-2017-11882. This exploit contains a stack buffer overflow vulnerability in Equation Editor leading to remote code execution. Though this vulnerability has been patched, it still continues to be actively used.

During our analysis using the RTF exploit templates, the weaponized documents dropped malware like FormBook, Snake Keylogger, and SmokeLoader.

Menlo Isolation to the Rescue!

As explained in our previous article, customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. The Menlo Cloud Security Platform opens all documents downloaded from the Internet in the Isolation Core™, away from the user’s endpoint.

Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. The document is converted to a safe version. Policies can also be configured to ensure that all documents from the Internet are downloaded as a safe version.

Conclusion

This blog provided details about different IP address notations and semantic attacks that Menlo Labs has seen. Threat actors have taken advantage of this strategy in crafting browser-supported nonstandard notations. We showcased examples of weaponized template injection documents using this technique and also using “.” and “-” characters as a camouflage to the naked eye. This attack bypasses some file-based content inspection engines, which treat them as invalid links.

While we observed only a few camouflaged iterations in the template injection attacks, we expect to see more from this Pandora’s box.

IOCs

Hashes:
b9cb173c049ab9d289dfde58cfd96cf4
f4c5e11473a31d7fd0151e8e8683f21f
b41225fb45bc78c549f6cc55b7c1ad3a
05fe20851e6f72d31d6147c937a5da98
396a604cc05534cd90291dee5877eea6
130181c1c46545bd9a2c6245e71ebb92
5fa0e9c5e0139f2f332ded2610ee1168
f5bf5c010cf46a24c06e45d191ecbcd5
2fce6e97f53169c6e4c2f1f9086712b7
429b2307c47f8f23fc986c7f48afd03b
e732f54857ee57bebe19fb6f3954114c
aa3354211e2042dbabfc21a47dfba19a
db4db708d8ff5693536d5b98251d2274
71feb287d0b9f215ff34ec25abe5ced1
2384fe43ced9acc7734d49f68a5dcc88
7c58cca4a48205c5c77fb4d44c65be51

URLs:
http://1806450055/..—.———————.—-—-—————/……288.doc
http://1806450056/……———————————………————-/…………..17.doc
http://dummy_username@1806450056/….——————………………………………..—————/92.doc
http://users@1806450056/….——————………………………………..—————/93.doc
http://username@1806450056/..-…..———————-…….—————————..—…..—–/136.dothtml
http://1806450056/..-…..———————-…….—————————..—…..—–/137.dothtml
http://1806450061/…———————-……………..———————–……——-/………..77.doc
http://users@1806450061/..———..————–—-——————/…………………….87.doc
http://1806450061/…———————-……………..———————–……——-/……….88.doc
http://users@1806450061/..———..——————_——————/………………………….89.doc
http://users@1806450061/..———..——————_——_————/………99.doc
http://1806450061/…———————-……………..———————–……——-/…………390.doc
http://1806450061/…———————-……………..———————–……——-/………..400.doc
http://1806450061/…———————-……………..———————–……——-/……….650.doc
http://1806453907/..————.—–—-.——-––—–…————–.—–—–/o——–O–..—————–D—–-d-Op———-_–.dothtml

IPs:
107.172.61[.]135
107.172.61[.]136
107.172.61[.]141
107.172.76[.]147