world tour:
Join us for a live look at how Menlo’s Secure Enterprise Browser puts you ahead of attackers
The Menlo Labs research team analyzed several weaponized decoy documents using a template injection technique. This technique has been leveraged by attackers because no suspicious indicators like macros need to be present in the document until the malicious template is fetched. Frameworks like Empire and Phishery provide the ability to create weaponized template injection documents.
Based on the nature of these attacks, we assess with high confidence that template injection attacks will continue to increase and will even be used to load exploits on the fly.
This technique is also noteworthy for the following reasons:
This blog details how template injection attacks work and how these attacks can be prevented.
With the introduction of Office Open XML (OOXML) formats, Microsoft Office provided the functionality of embedding resources into a document. Using a method called Relationships, the connection between a source part and a target resource can be specified in an XML file. The relationships are encapsulated in a .rels (XML) file in the document package.
Adversaries have taken undue advantage of this Microsoft Office feature by creating LotL attacks. These attacks are performed by injecting a URL hosting the malicious template into the .rels XML file (see Figure 1).
In the above example, the malicious URL is provided as an input to the “target=” and the “TargetMode” is set as ”External.” Upon executing the weaponized document, the malicious template is downloaded and executed (see Figure 2).
The flow of a template injection attack is shown in the image below (see Figure 3).
The weaponized template injection documents are potentially benign at face value. Unless there are specific traces like malicious URLs or exploit markers, they often go undetected by security scanners. This is one of the primary reasons that a majority of these documents arrive as an email attachment.
To convince the victim, the adversaries could also hijack existing email thread conversations and attach the weaponized template injection document.
Template injection attacks have been used for performing a wide range of attacks with different flavors and combinations. The attacks range from downloading the malicious template for loading exploits to carrying out phishing attacks and even multi-stage attacks.
In a recent template injection attack, adversaries masqueraded as a legitimate Microsoft URL (http://schemas.openxmlformats.org/) to trick victims into downloading a malicious template (see Figure 4).
The document (hash - ee8aef2974ddcdb3917308f6475100f8) downloaded a malicious dotm template from the URL: http://www[.]xmlschemeformat[.]com/update/2021/Office/form[.]dotm. This template downloaded malware onto the victim’s endpoints by hiding it in one of the first images taken by the James Webb Telescope using image steganography.
Next we analyze a few cases of attacks using weaponized template injection documents.
The “Follina” Zero vulnerability (CVE-2022-30190) is a vulnerability that exists in Microsoft Support Diagnostic Tool (MSDT). The adversaries behind this exploit hosted the Follina exploit in an external public-facing URL. This URL was injected into the document with an exploit marker “!” at the end of the URL for triggering the exploit template.
In one of the attacks carried out using the Follina exploit with a weaponized template injection, the document claimed to be a “VIP Invitation to Doha Expo 2023” (see Figure 5).
When executed, the document (hash - 85829b792aa3a5768de66beacdb0a0ce) fetches the Follina exploit: https://files.attend-doha-expo[.]com/inv[.]html. The HTML file contains embedded JavaScript that invokes ms-msdt, thereby detonating the exploit and its payload.
Patchwork is an APT group that is known to target industries related to diplomatic and government agencies. The modus operandi of this group is the use of malware generally derived via copy-paste from online forums.
In one of the recent attacks, a weaponized document claiming to be from the “Ministry of Defense, Pakistan” was used by the Patchwork APT group (see Figure 6).
The document (hash - ccf66fd0fc09ba0ea0d43d3e2f62f5fd) downloaded the template from the URL: http://office-fonts[.]herokuapp[.]com/en-us. This further downloads a password-protected PDF file, “Scan03.pdf.”
The URL used in the attack was hosted in a domain cloud platform, “Heroku.” Such use of websites with a benign/good reputation for delivering malware belongs to a HEAT technique called Legacy URL Reputation Evasion (LURE), or Living Off Trusted Sites (LOTS).
Several threat actors and groups have used weaponized template injection documents to carry out targeted attacks. While there are several threat groups using these weaponized documents, we have listed some of the most recent and/or ongoing attacks.
Customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. Menlo’s Cloud Security Platform opens all documents downloaded from the internet in its Isolation Core™, away from the user’s endpoint (see Figure 7).
The document is converted to a safe version of a document, which can be viewed by the user, while the inspection engines determine whether the file is good or bad. Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. Policies can also be configured to ensure that all documents from the internet are downloaded as a safe version.
This post details how weaponized template injection attacks are carried out by injecting malicious URLs into the document — also known as LotL attacks. This technique evades security tools and solutions because no typical suspicious indicators are in the document until the malicious template is fetched. Additionally, these attacks also use a popular Highly Evasive Adaptive Threat (HEAT) technique — Legacy URL Reputation Evasion (LURE) — in which the malicious template is hosted in websites with a benign/good reputation, or Living Off Trusted Sites (LOTS).
Menlo Labs will continue to monitor threat groups and campaigns using template injection attacks and share updates of our research.
