Learn how hybrid work is fueling ransomware attacks and what to do about it.

Back to blog

Isolation: A vaccine for template injection attacks

The Menlo Labs research team analyzed several weaponized decoy documents using a template injection technique that fetches and executes the template during execution

Share this article

Executive Summary

The Menlo Labs research team analyzed several weaponized decoy documents using a template injection technique. This technique has been leveraged by attackers because no suspicious indicators like macros need to be present in the document until the malicious template is fetched. Frameworks like Empire and Phishery provide the ability to create weaponized template injection documents.

Based on the nature of these attacks, we assess with high confidence that template injection attacks will continue to increase and will even be used to load exploits on the fly.

This technique is also noteworthy for the following reasons:

  • It evades security tools and solutions by using a popular Highly Evasive Adaptive Threat (HEAT) technique, Legacy URL Reputation Evasion (LURE), which uses websites categorized as having a good reputation by web filters to deliver malware.
  • Adversaries can inject a malicious URL in the document to render a template hosted on a local or remote machine. This weaponized document, when opened, attempts to download and execute the malicious template. This attack kill chain of loading the payload is also classified as a Living off the Land (LotL) attack — an attack using legitimate software to perform malicious actions.

This blog details how template injection attacks work and how these attacks can be prevented.

Background

With the introduction of Office Open XML (OOXML) formats, Microsoft Office provided the functionality of embedding resources into a document. Using a method called Relationships, the connection between a source part and a target resource can be specified in an XML file. The relationships are encapsulated in a .rels (XML) file in the document package.

Adversaries have taken undue advantage of this Microsoft Office feature by creating LotL attacks. These attacks are performed by injecting a URL hosting the malicious template into the .rels XML file (see Figure 1).

Screenshot of code for template injection attack
Figure 1: Template injection attack

In the above example, the malicious URL is provided as an input to the “target=” and the “TargetMode” is set as ”External.” Upon executing the weaponized document, the malicious template is downloaded and executed (see Figure 2).

Screenshot of malicious template downloaded in Microsoft Word
Figure 2: Malicious template downloaded

The flow of a template injection attack is shown in the image below (see Figure 3).

Figure 3: Template injection attack

Infection Vector

The weaponized template injection documents are potentially benign at face value. Unless there are specific traces like malicious URLs or exploit markers, they often go undetected by security scanners. This is one of the primary reasons that a majority of these documents arrive as an email attachment.

To convince the victim, the adversaries could also hijack existing email thread conversations and attach the weaponized template injection document.

Template Injection Attacks

Template injection attacks have been used for performing a wide range of attacks with different flavors and combinations. The attacks range from downloading the malicious template for loading exploits to carrying out phishing attacks and even multi-stage attacks.

In a recent template injection attack, adversaries masqueraded as a legitimate Microsoft URL (http://schemas.openxmlformats.org/) to trick victims into downloading a malicious template (see Figure 4).

Screenshot of template injection attack masquerading as a legitimate Microsoft URL
Figure 4: Template injection attack masquerading as a legitimate Microsoft URL

The document (hash – ee8aef2974ddcdb3917308f6475100f8) downloaded a malicious dotm template from the URL: http://www[.]xmlschemeformat[.]com/update/2021/Office/form[.]dotm. This template downloaded malware onto the victim’s endpoints by hiding it in one of the first images taken by the James Webb Telescope using image steganography.

Next we analyze a few cases of attacks using weaponized template injection documents.

MSDT “Follina” Zero Vulnerability (CVE-2022-30190)

The “Follina” Zero vulnerability (CVE-2022-30190) is a vulnerability that exists in Microsoft Support Diagnostic Tool (MSDT). The adversaries behind this exploit hosted the Follina exploit in an external public-facing URL. This URL was injected into the document with an exploit marker “!” at the end of the URL for triggering the exploit template.

In one of the attacks carried out using the Follina exploit with a weaponized template injection, the document claimed to be a “VIP Invitation to Doha Expo 2023” (see Figure 5).

Screenshot of VIP invitation to Doha Expo 2023 and associated code
Figure 5: VIP invitation to Doha Expo 2023

When executed, the document (hash – 85829b792aa3a5768de66beacdb0a0ce) fetches the Follina exploit: https://files.attend-doha-expo[.]com/inv[.]html. The HTML file contains embedded JavaScript that invokes ms-msdt, thereby detonating the exploit and its payload.

Patchwork APT — LURE (LOTS) HEAT Technique

Patchwork is an APT group that is known to target industries related to diplomatic and government agencies. The modus operandi of this group is the use of malware generally derived via copy-paste from online forums.

In one of the recent attacks, a weaponized document claiming to be from the “Ministry of Defense, Pakistan” was used by the Patchwork APT group (see Figure 6).

Weaponized “Ministry of Defense, Pakistan” document with associated code
Figure 6: Weaponized “Ministry of Defense, Pakistan” document

The document (hash – ccf66fd0fc09ba0ea0d43d3e2f62f5fd) downloaded the template from the URL: http://office-fonts[.]herokuapp[.]com/en-us. This further downloads a password-protected PDF file, “Scan03.pdf.”

The URL used in the attack was hosted in a domain cloud platform, “Heroku.” Such use of websites with a benign/good reputation for delivering malware belongs to a HEAT technique called Legacy URL Reputation Evasion (LURE), or Living Off Trusted Sites (LOTS).

Targeted attacks using weaponized template injection documents

Several threat actors and groups have used weaponized template injection documents to carry out targeted attacks. While there are several threat groups using these weaponized documents, we have listed some of the most recent and/or ongoing attacks.

Menlo Protection

Customers using Menlo’s Cloud Security Platform powered by an Isolation Core™ are protected against template injection attacks by design. Menlo’s Cloud Security Platform opens all documents downloaded from the internet in its Isolation Core™, away from the user’s endpoint (see Figure 7).

Figure 7: Menlo protection against template injection attacks

The document is converted to a safe version of a document, which can be viewed by the user, while the inspection engines determine whether the file is good or bad. Menlo’s Safedoc feature strips out all the active content, thereby making sure that the malicious aspect is removed. Policies can also be configured to ensure that all documents from the internet are downloaded as a safe version.

Conclusion

This post details how weaponized template injection attacks are carried out by injecting malicious URLs into the document — also known as LotL attacks. This technique evades security tools and solutions because no typical suspicious indicators are in the document until the malicious template is fetched. Additionally, these attacks also use a popular Highly Evasive Adaptive Threat (HEAT) technique — Legacy URL Reputation Evasion (LURE) — in which the malicious template is hosted in websites with a benign/good reputation, or Living Off Trusted Sites (LOTS).

Menlo Labs will continue to monitor threat groups and campaigns using template injection attacks and share updates of our research.

Share this article

Make the secure way to work the only way to work.

To talk to a Menlo Security expert, complete the form, or call us at (650) 695-0695.