1. Home
  2. Techniques
  3. Enterprise
  4. 模板注入

模板注入

模板注入是攻击者通过篡改文档模板引用实施恶意代码加载的攻击技术,主要利用Microsoft Office、RTF等文档处理软件的模板加载机制。攻击者通过在文档中插入指向远程服务器的模板引用,诱导应用程序在打开文档时自动下载并执行恶意载荷。通过模板注入,攻击者将恶意代码嵌入到模板中,在用户打开包含该模板引用的文档时,恶意负载会被下载并执行。与传统的宏或脚本不同,这种方式不依赖于直接的代码注入,传统防御手段主要依赖静态文档分析检测异常模板引用,以及监控文档处理进程的网络连接行为,因此模板注入能够有效绕过静态检测。攻击者可以通过钓鱼邮件或污染共享内容等方式将包含恶意模板的文档分发给受害者,进一步提高攻击的成功率。

匿迹技术的发展导致传统基于单一检测维度的防御体系失效,需构建文档全生命周期监控体系。防御方应实施动态沙箱行为分析、云存储元数据完整性校验、加密流量威胁挖掘等组合式检测手段,并建立模板引用白名单机制,方能有效应对新型隐蔽注入攻击。

ID: T1221
Sub-techniques:  No sub-techniques
Tactic: 防御规避
Platforms: Windows
Permissions Required: User
Defense Bypassed: Static File Analysis
Contributors: Brian Wiltse @evalstrings; Michael Raggi @aRtAGGI; Patrick Campbell, @pjcampbe11
Version: 1.3
Created: 17 October 2018
Last Modified: 12 January 2022

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟合法文档结构特征实现恶意代码隐匿,通过文档结构模拟注入,完全复现目标机构的文档模板XML架构和数字签名机制,使恶意文档在文件格式、数字证书等表面特征与正常文档无异,规避静态特征检测。

数据遮蔽

攻击者可以采用加密信道技术,利用TLS等标准加密协议对模板加载流量进行端到端加密,使得网络层检测无法解析传输内容中的恶意指令。同时,对文档元数据和模板引用参数进行加密或混淆处理,进一步阻碍静态分析工具的数据提取能力。

Procedure Examples

ID Name Description
G0007 APT28

APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro. [1]
S0631 Chaes

Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.[2]

G0142 Confucius

Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit.[3]
G0079 DarkHydrus

DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.[4]
G0035 Dragonfly

Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.[5]
C0001 Frankenstein

During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.[6]
G0047 Gamaredon Group

Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.[7] Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.[8][9][10][11][12][13]
G0100 Inception

Inception has used decoy documents to load malicious remote payloads via HTTP.[14]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used DOCX files to retrieve a malicious document template/DOTM file.[15][16]
G0081 Tropic Trooper

Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[17]
S0670 WarzoneRAT

WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.[3]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[18]
M1042 Disable or Remove Feature or Program

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents [19], though this setting may not mitigate the Forced Authentication use for this technique.
M1031 Network Intrusion Prevention

Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads.[18]
M1017 User Training

Train users to identify social engineering techniques and spearphishing emails that could be used to deliver malicious documents.

Detection

ID Data Source Data Component Detects
DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0009 Process Process Creation

Analyze process behavior to determine if an Office application is performing actions, such as opening network connections, reading files, spawning abnormal child processes (ex: PowerShell), or other suspicious actions that could relate to post-compromise behavior.

References

  1. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  2. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  3. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
  4. Falcone, R. (2018, August 07). DarkHydrus Uses Phishery to Harvest Credentials in the Middle East. Retrieved August 10, 2018.
  5. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  6. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  7. Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021.
  8. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  9. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  10. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  1. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  2. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  3. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
  4. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  5. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  6. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  7. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  8. Intel_Acquisition_Team. (2018, March 1). Credential Harvesting and Malicious File Delivery using Microsoft Office Template Injection. Retrieved July 20, 2018.
  9. Microsoft. (n.d.). Enable or disable macros in Office files. Retrieved September 13, 2018.