Template injection attacks are often just a footnote in discussions about today’s top threats. Yet, weaponized documents are becoming an increasingly pressing problem, as has been highlighted by the Menlo Labs team in tracking a recent resurgence of such attacks.
Much of the present problem stems from the efforts of attackers to route this specific threat in ever more intelligent ways. From web downloads and shared drives to text message feeds and email threads, cyber-criminals are becoming more inventive and advanced in deploying decoy documents.
In my last column, I looked in depth at how weaponized template injection documents work and how to prevent them. If you’re new to the topic, I’d recommend checking it out first.
To quickly recap, injection template attacks are a form of living off the land (LotL) attack used by adversaries to inject a malicious URL in a document to render a malicious template hosted on a local or remote machine.
Since these initial findings, the Menlo Labs team has expanded the scope of its studies on template injection attacks – efforts which have led us to encounter several weaponized documents that are now using an interesting camouflage technique.
Designed to hide URLs from the naked eye, these documents either contained a decimal IP address or used an obscure URL format to fetch the remotely hosted template, the aim of which is to bypass file-based content inspection engines that specifically look for URL-based patterns.
This specific technique – one that we’ve termed Legacy URL Reputation Evasion (LURE) – is yet another example of a Highly Evasive Adaptive Threat (HEAT) technique that threat actors use to get past the traditional security stack that just about every organization uses.
Here, we will dive deeper into the specific use of camouflaged template injection attacks.
How Attackers Are Tapping into Complex IP Address Notations
Typically, an IP address is defined by a dotted-decimal notation, usually in the format XXX.XXX.XXX.XXX.
While this is the most common notation, it isn’t exclusive. Indeed, a variety of different notations can be used for IP addresses, including the octal notation, hexadecimal notation, Decimal/DWORD notation, Binary notation, Encoded notation and Mixed notation.
Additionally, there is another known as the ‘0 optimized dotted-decimal notation.’ Here, the 0s in an IP address are either suppressed or compressed.
Barring the binary notation, this wide variety of notations are accepted by browsers. Unfortunately, where this complicated notation landscape poses a challenge to file-based content inspection engines, it makes the use of obscure URLs an enticing and feasible avenue for threat actors.
Let’s look at misleading Uniform Resource Identifier (URI) semantic attacks as an example.
Here, threat actors may use an ‘@’ userinfo subcomponent in URI schemes to create an obscure URL format or misleading URI. An example of this might be ‘https://test@google.com’, where the ‘@’ functions as a delimiter, ignoring ‘test’ and, in turn, resolving to google.com when visited via the browser address bar. It must also use the ‘://’ authority component to create a misleading URI.
This turned out to be an interesting experiment for us, where we discovered that this could also be performed with octal, hexadecimal and decimal notations. However, we also identified that the octal, hexadecimal and decimal/DWORD notations were treated as invalid links by most applications.
In addition, we also found that an attacker can mask the malicious URL behind a benign URL. URLs such as ‘https://192.168.0.1@google.com’ and ‘https://youtube.com@google.com’, for example, resolve to google.com.
Camouflaged URLs and Protecting Against Them
This may sound complicated, and the inner workings of it can be. Yet, the key point is that the use of browser-supported non-standard IP notations and a misleading URI acts as camouflage, which attackers can use to bypass content inspection engines.
Indeed, there are three key methods that threat actors can tap into to achieve this:
- Create a link with octal, hexadecimal or decimal notations to have an application treat the link as invalid.
- Create a link with a misleading URI (semantic attack) using octal, hexadecimal or decimal notations.
- Create a link with a misleading URI (semantic attack) by masking a malicious URL with a benign URL.
These methods are not new. Indeed, Trustwave cited examples of such URL evasions in September 2020, specifically pointing to the use of an encoded hexadecimal IP address format and a URL semantic attack that masked a shortened URL.
However, we’re now seeing camouflaged URLs used in weaponized template injection documents, leveraging either decimal notation or misleading URIs (semantic attacks) with decimal notation.
Interestingly, two documents we analyzed using decimal notation URLs also contained several “.” and “-” characters as camouflage. However, it is critical to note that these camouflaging techniques will reveal automatically without user intervention.
Indeed, upon opening the weaponized document, the camouflaged URL reveals itself and downloads a template containing an RTF exploit (CVE-2017-11882) to drop malware such as FormBook, Snake Keylogger and SmokeLoader.
As we previously pointed out, one of the most effective ways of protecting against template injection attacks – be it camouflaged or not – is through isolation technology.
Organizations can no longer rely on traditional security tools to protect against advanced threats that are tailor-made to bypass outdated protective technologies. With isolation, all documents are opened in a cloud container away from the user’s endpoint, preventing any active or malicious content from reaching the endpoint.