Isolation: A vaccine for template injection attacks

Executive Summary

The Menlo Labs research team analyzed several weaponized decoy documents using a template injection technique. This technique has been leveraged by attackers because no suspicious indicators like macros need to be present in the document until the malicious template is fetched. Frameworks like Empire and Phishery provide the ability to create weaponized template injection documents.

Based on the nature of these attacks, we assess with high confidence that template injection attacks will continue to increase and will even be used to load exploits on the fly.

This technique is also noteworthy for the following reasons:

• It evades security tools and solutions by using a popular Highly Evasive Adaptive Threat (HEAT) technique, Legacy URL Reputation Evasion (LURE), which uses websites categorized as having a good reputation by web filters to deliver malware.
• Adversaries can inject a malicious URL in the document to render a template hosted on a local or remote machine. This weaponized document, when opened, attempts to download and execute the malicious template. This attack kill chain of loading the payload is also classified as a Living off the Land (LotL) attack — an attack using legitimate software to perform malicious actions.

This blog details how template injection attacks work and how these attacks can be prevented.

Background

With the introduction of Office Open XML (OOXML) formats, Microsoft Office provided the functionality of embedding resources into a document. Using a method called Relationships, the connection between a source part and a target resource can be specified in an XML file. The relationships are encapsulated in a .rels (XML) file in the document package.

Adversaries have taken undue advantage of this Microsoft Office feature by creating LotL attacks. These attacks are performed by injecting a URL hosting the malicious template into the .rels XML file (see Figure 1).

In the above example, the malicious URL is provided as an input to the “target=” and the “TargetMode” is set as ”External.” Upon executing the weaponized document, the malicious template is downloaded and executed (see Figure 2).

The flow of a template injection attack is shown in the image below (see Figure 3).

Infection Vector

The weaponized template injection documents are potentially benign at face value. Unless there are specific traces like malicious URLs or exploit markers, they often go undetected by security scanners. This is one of the primary reasons that a majority of these documents arrive as an email attachment.

To convince the victim, the adversaries could also hijack existing email thread conversations and attach the weaponized template injection document.

Template Injection Attacks

Template injection attacks have been used for performing a wide range of attacks with different flavors and combinations. The attacks range from downloading the malicious template for loading exploits to carrying out phishing attacks and even multi-stage attacks.

In a recent template injection attack, adversaries masqueraded as a legitimate Microsoft URL (http://schemas.openxmlformats.org/) to trick victims into downloading a malicious template (see Figure 4).

The document (hash – ee8aef2974ddcdb3917308f6475100f8) downloaded a malicious dotm template from the URL: http://www[.]xmlschemeformat[.]com/update/2021/Office/form[.]dotm. This template downloaded malware onto the victim’s endpoints by hiding it in one of the first images taken by the James Webb Telescope using image steganography.

Next we analyze a few cases of attacks using weaponized template injection documents.

MSDT “Follina” Zero Vulnerability (CVE-2022-30190)

The “Follina” Zero vulnerability (CVE-2022-30190) is a vulnerability that exists in Microsoft Support Diagnostic Tool (MSDT). The adversaries behind this exploit hosted the Follina exploit in an external public-facing URL. This URL was injected into the document with an exploit marker “!” at the end of the URL for triggering the exploit template.

In one of the attacks carried out using the Follina exploit with a weaponized template injection, the document claimed to be a “VIP Invitation to Doha Expo 2023” (see Figure 5).

When executed, the document (hash – 85829b792aa3a5768de66beacdb0a0ce) fetches the Follina exploit: https://files.attend-doha-expo[.]com/inv[.]html. The HTML file contains embedded JavaScript that invokes ms-msdt, thereby detonating the exploit and its payload.

Patchwork APT — LURE (LOTS) HEAT Technique

Patchwork is an APT group that is known to target industries related to diplomatic and government agencies. The modus operandi of this group is the use of malware generally derived via copy-paste from online forums.

In one of the recent attacks, a weaponized document claiming to be from the “Ministry of Defense, Pakistan” was used by the Patchwork APT group (see Figure 6).

The document (hash – ccf66fd0fc09ba0ea0d43d3e2f62f5fd) downloaded the template from the URL: http://office-fonts[.]herokuapp[.]com/en-us. This further downloads a password-protected PDF file, “Scan03.pdf.”

The URL used in the attack was hosted in a domain cloud platform, “Heroku.” Such use of websites with a benign/good reputation for delivering malware belongs to a HEAT technique called Legacy URL Reputation Evasion (LURE), or Living Off Trusted Sites (LOTS).

Targeted attacks using weaponized template injection documents

Several threat actors and groups have used weaponized template injection documents to carry out targeted attacks. While there are several threat groups using these weaponized documents, we have listed some of the most recent and/or ongoing attacks.

• TA423 / Red Ladon ScanBox Campaigns – From June 2021 through May 2022, Proofpoint observed an ongoing scanbox phishing campaign carried out by TA423 / Red Ladon. The attack involved malicious RTF attachments weaponized through template injection.
• DoNot Team / APT-C-35 – In August 2022, Morphisec posted details about the DoNot teams latest spear phishing email campaign. The attack used RTF template injection documents in carrying out attacks on targeted government departments, including Pakistan’s defense sector.
• TA453 / Charming Kitten / PHOSPHORUS /APT42 – In July 2022 and September 2022, PwC and Proofpoint posted details on attacks carried out by the TA453 group. The attacks used Microsoft Word document droppers which use remote template injection to obtain and execute a malicious macro.
• Gamaredon APT – In a recent post from September 2022, Cisco posted details on Gamaredon APT targeting Ukrainian government agencies. The attacks used phishing emails to deliver Microsoft Office documents containing remote templates with malicious VBScript macros.

Menlo Protection

Customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. Menlo’s Cloud Security Platform opens all documents downloaded from the internet in its Isolation Core™, away from the user’s endpoint (see Figure 7).

The document is converted to a safe version of a document, which can be viewed by the user, while the inspection engines determine whether the file is good or bad. Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. Policies can also be configured to ensure that all documents from the internet are downloaded as a safe version.

Conclusion

This post details how weaponized template injection attacks are carried out by injecting malicious URLs into the document — also known as LotL attacks. This technique evades security tools and solutions because no typical suspicious indicators are in the document until the malicious template is fetched. Additionally, these attacks also use a popular Highly Evasive Adaptive Threat (HEAT) technique — Legacy URL Reputation Evasion (LURE) — in which the malicious template is hosted in websites with a benign/good reputation, or Living Off Trusted Sites (LOTS).

Menlo Labs will continue to monitor threat groups and campaigns using template injection attacks and share updates of our research.