Pattern injection attacks: protection against camouflaged URLs


Template injection attacks are often just a footnote in discussions of today’s top threats. Still, weaponized documents are becoming an increasingly pressing problem, as the Menlo Labs team highlighted in tracking a recent resurgence of such attacks.

Much of the current problem stems from attackers’ efforts to route this specific threat in ever-smarter ways. From web downloads and shared drives to text message streams and email threads, cybercriminals are becoming more inventive and sophisticated in deploying decoy documents.

In my last column, I took an in-depth look at how weaponized template injection docs work and how to prevent them. If you’re new to this, I recommend checking it out first.

To quickly recap, injection template attacks are a form of ground attack (LotL) used by adversaries to inject a malicious URL into a document to render a malicious template hosted on a local or remote machine.

Since those early discoveries, the Menlo Labs team has expanded the scope of their studies of template injection attacks — efforts that have led us to encounter several weaponized documents that now employ an interesting cloaking technique.

Designed to hide URLs from the naked eye, these documents either contained a decimal IP address or used an obscure URL format to retrieve the remotely hosted pattern, the purpose of which is to circumvent content inspection engines based on files that specifically look for pattern URLs.

This specific technique – the one we’ve called Legacy URL Reputation Evasion (LURE) – is another example of a Highly Evasive Adaptive Threat (HEAT) technique that hackers use to bypass the traditional security stack that almost every organization uses.

Here, we’ll dive deeper into the specific use of camouflaged pattern injection attacks.

How attackers exploit complex IP address notations

Typically, an IP address is defined in dotted-decimal notation, usually in the format XXX.XXX.XXX.XXX.

Although this is the most common notation, it is not exclusive. This is because a variety of different notations can be used for IP addresses, including octal notation, hexadecimal notation, decimal/DWORD notation, binary notation, encoded notation, and mixed notation.

Additionally, there is another one known as “0 optimized dotted decimal notation”. Here, the 0s in an IP address are either stripped or compressed.

With the exception of binary notation, this wide variety of notations is accepted by browsers. Unfortunately, where this convoluted scoring landscape poses a challenge to file-based content inspection engines, it makes the use of obscure URLs an attractive and feasible avenue for threat actors.

Take the example of deceptive Uniform Resource Identifier (URI) semantic attacks.

Here, threat actors can use a ‘@’ userinfo subcomponent in URI schemes to create an obscure URL format or a misleading URI. An example of this might be “https://[email protected]”, where the “@” works as a delimiter, ignoring “test” and, in turn, resolves to when visited via the browser address bar. It should also use the ‘://’ authority component to create a misleading URI.

This turned out to be an interesting experiment for us, where we discovered that it could also be done with octal, hexadecimal and decimal notations. However, we have also identified that octal, hexadecimal, and decimal/DWORD notations are treated as invalid links by most applications.

Additionally, we also found that an attacker can hide the malicious URL behind a benign URL. URLs such as “https://[email protected]” and “https://[email protected]”, for example, resolve to

Camouflaged URLs and protection against them

It may sound complicated, and its inner workings may be. Yet the key point is that the use of non-standard browser-supported IP notations and a misleading URI acts as camouflage, which attackers can use to circumvent content inspection engines.

Indeed, there are three key methods hackers can use to achieve this:

  1. Create a link with octal, hexadecimal, or decimal notations to have an application treat the link as invalid.
  2. Create a link with a misleading URI (semantic attack) using octal, hexadecimal or decimal notations.
  3. Create a link with a misleading URI (semantic attack) by disguising a malicious URL with a benign URL.

These methods are not new. Indeed, Trustwave cited examples of such URL escapes in September 2020, specifically pointing to the use of a hexadecimal encoded IP address format and a semantic URL attack hiding a shortened URL.

However, we now see camouflaged URLs used in weaponized template injection documents, taking advantage of decimal notation or misleading URIs (semantic attacks) with decimal notation.

Interestingly, two documents we parsed using URLs in decimal notation also contained multiple “.” and “-” characters as camouflage. However, it is essential to note that these camouflage techniques will reveal themselves automatically without user intervention.

Indeed, when opening the militarized document, the camouflaged URL reveals itself and downloads a template containing an RTF exploit (CVE-2017-11882) to drop malware such as FormBook, Snake Keylogger and SmokeLoader.

Like us previously underlinedOne of the most effective ways to protect against pattern injection attacks, whether camouflaged or not, is isolation technology.

Organizations can no longer rely on traditional security tools to protect against advanced threats tailor-made to circumvent outdated protection technologies. With isolation, all documents are opened in a cloud container away from the user’s endpoint, preventing any active or malicious content from reaching the endpoint.

Source link


Comments are closed.