We have seen several examples of phishing emails delivering malicious RTF attachments disguised as other document file types by changing the file extension. We found these RTF files delivering what looks to be a version of the Dridex Banker Trojan.
There is current a zero-day exploit involving RTF files opened through Microsoft Word, it is unclear if these emails are utilizing this exploit due to the lack of information available about it, but there is certainly some indication that it is. You can read FireEye release about this exploit here.
It is important that you alert your staff to these malicious emails and advise them to:
– Avoid opening any attachments from unknown or unexpected senders
– Delete suspicious emails immediately
– Notify their IT Support/Security team if they have opened any emails or attachments that seemed suspicious
You may want to also consider blocking RTF attachments if your email filter support file type detection beyond just the filename extension. RTF files are generally rarely used in favour of word documents.
If the RTF document is opened and the exploit is successful, you may see the following word document. This is a decoy page loaded to ease suspicion when the malware is being installed.
The RTF exploit we discovered was named “Scan_89713.pdf” but starts with the base64 “e1xydGYx” indicating that it is a RTF file. This file will not render correctly in some PDF readers, but it is believed its intended to be opened by Microsoft Word, where some systems have been configured for PDF files to be opened by Microsoft Word.
Within the document is an embedded binary type object. The binary data is specified as objclass “OfficeDOC”, and it contents in HEX.
When converted from HEX the object is an OLE2link to a url with a word document called template.doc.
However, this is also an RTF file and not a word document file, within the template.doc file we find the following VBscript. This behaviour is like the FireEye release for the previously mentioned RTF zero day, except FireEye mentioned it downloading a RTF file disguised as ‘.hta’ not a ‘.doc’ as we discovered.
The script will fetch an exe file from hxxp:// btt5sxcx90 . com/7500.exe and copies it into the start-up folder in the start menu, then running it and closing the original word window. It then opens a new word window with a second downloaded file from hxxp:// btt5sxcx90 . com/sample.doc that just contains “ERROR OPEN DOCUMENT”.
In addition, the script will disable word protected mode through the Office Resiliency registry entries. Word protected mode stops macros and other active content from running from documents, as these are common malware delivery techniques.
The downloaded executable file hxxp:// btt5sxcx90 . com/7500.exe looks to be the Dridex banker Trojan. The VirusTotal reference found here.