Skip to content

T1221 Template Injection

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts. For example, Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered.1

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties may reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse these templates to initially conceal malicious code to be executed via user documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded.2 These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched.3 Examples have been seen in the wild where template injection was used to load malicious code containing an exploit.4

Adversaries may also modify the *\template control word within an .rtf file to similarly conceal then download malicious code. This legitimate control word value is intended to be a file destination of a template file resource that is retrieved and loaded when an .rtf file is opened. However, adversaries may alter the bytes of an existing .rtf file to insert a template control word field to include a URL resource of a malicious payload.56

This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt.789

Item Value
ID T1221
Sub-techniques
Tactics TA0005
Platforms Windows
Permissions required User
Version 1.3
Created 17 October 2018
Last Modified 12 January 2022

Procedure Examples

ID Name Description
G0007 APT28 APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. 16
S0631 Chaes Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.12
G0142 Confucius Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit.11
G0079 DarkHydrus DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.14
G0035 Dragonfly Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.13
C0001 Frankenstein During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.26
G0047 Gamaredon Group Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.5 Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.181920212223
G0100 Inception Inception has used decoy documents to load malicious remote payloads via HTTP.17
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.2524
G0081 Tropic Trooper Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.15
S0670 WarzoneRAT WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.11

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.7
M1042 Disable or Remove Feature or Program Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents 10, though this setting may not mitigate the Forced Authentication use for this technique.
M1031 Network Intrusion Prevention Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.7
M1017 User Training Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation

References


  1. Microsoft. (2014, July 9). Introducing the Office (2007) Open XML File Formats. Retrieved July 20, 2018. 

  2. Wiltse, B.. (2018, November 7). Template Injection Attacks - Bypassing Security Controls by Living off the Land. Retrieved April 10, 2019. 

  3. Hawkins, J. (2018, July 18). Executing Macros From a DOCX With Remote Template Injection. Retrieved October 12, 2018. 

  4. Segura, J. (2017, October 13). Decoy Microsoft Word document delivers malware through a RAT. Retrieved July 21, 2018. 

  5. Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021. 

  6. Pedrero, R.. (2021, July). Decoding malicious RTF files. Retrieved November 16, 2021. 

  7. Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018. 

  8. Baird, S. et al.. (2017, July 7). Attack on Critical Infrastructure Leverages Template Injection. Retrieved July 21, 2018. 

  9. Hanson, R. (2016, September 24). phishery. Retrieved July 21, 2018. 

  10. Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018. 

  11. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. 

  12. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. 

  13. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. 

  14. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018. 

  15. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. 

  16. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. 

  17. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. 

  18. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. 

  19. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. 

  20. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. 

  21. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  22. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  23. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. 

  24. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  25. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  26. Adamitis, D. et al. (2019, June 4). It’s alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.