Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers

Friday 4 October 10:00 - 10:30, Green room

Michael Raggi (Proofpoint)
Ghareeb Saad (Anomali)

Typographers and font designers quip that the divine fingerprint of the artist exists in the spaces between the letters. ("God is in the Kerning" – Matteo Bologna). They have also said "Nothing made by a human can avoid personal expression" (Hrant Papazian). Anomali Labs has conducted an in-depth study of the unique object dimensions present in weaponized RTF exploits used in phishing attacks. Through this research we have found that, like typographers, the developers of malicious RTF weaponizers leave behind a unique fingerprint on the malicious phishing attachments they create. This fingerprint can be found in the unique height and width of the malicious objects present in a phishing attachment. So, if God can be found in the kerning, as threat researchers we believe that attribution is in the object.

RTF files are among the most popular file formats used in phishing attacks today. Anomali Labs has tracked the unique object dimensions present in 22 RTF exploits for CVE-2018-8570, CVE-2018-0802, CVE-2017-11882, CVE-2017-0199, CVE-2014-1761 and CVE-2012-0158 to gain insight into the adversary's weaponization process. By identifying the object height and width of malicious RTF objects and creating Yara signatures to track them, analysts have identified APT campaigns related to three distinct Chinese APT groups (Temp.Periscope, Temp.Trident and Goblin Panda), one South Asian APT (Sidewinder), and the cybercriminal campaigns of a known Pakistani APT group (Gorgon Group/Subaat). This presentation and paper will cover basic RTF object metadata structure, how this data, when unique, can be used to track threat actors, and an in-depth case study of Chinese and Indian APTs utilizing a shared RTF phishing weaponizer to carry out diverse espionage campaigns across Asia and Central Europe. 

The audience will learn that weaponization has historically been a difficult kill chain phase into which to gain visibility as it occurs on the adversary network prior to delivery. However, this method developed by Anomali Labs has facilitated the tracking and attribution of 22 RTF phishing weaponizers based on the digital artifacts created during the weaponization phase. Yara signatures will be provided in the paper so that readers can benefit from the detection signatures created as a result of this analysis. And finally, a discussion regarding the adoption, distribution, and development (weaponizer life-cycle) of such RTF weaponizers will be included so that the audience may leave with a strategic understanding of this research that can be presented to non-technical decision makers within their IT organizations. Ultimately, we hope that the audience will leave with a greater understanding of RTF phishing, the imprint it leaves on an IT environment, and how it can be identified / prevented within their enterprise.




Michael Raggi

Michael A. Raggi is a senior threat research engineer at Proofpoint. Previously, he has worked as a senior threat intelligence analyst at Anomali, Sr. Cyber Intelligence Analyst at BAE Systems in the defence sector, and at Morgan Stanley in the financial sector as a dedicated analyst on the Cyber Threat Intelligence Team. His primary focus is tracking APT adversaries and tool development in the APAC region.




Ghareeb Saad

Ghareeb is the Threat Intelligence Manager at Anomali, with more than 11 years of experience in the field of cybersecurity. Previously he worked as a senior security researcher at Kaspersky as part of the Global Research and Analysis Team (GReAT). He was part of Kaspersky Lab’s R&D department, tracking top advanced threat actors and analysing state-sponsored cyber espionage campaigns. He also worked as a senior security analyst and incident handler for the Egyptian Computer Emergency Response Team (EGCERT), handling different kinds of security incidents and attacks on high-profile governmental entities. He participated in building and designing the EGCERT's Honey-Net project and established the EGCERT malware analysis and reverse engineering team where he led the team on incident handling and analysing APTs targeting the Egyptian government.


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers

Michael Raggi (Proofpoint)
Ghareeb Saad (Anomali)

Catch me if you can: detection of injection exploitation by validating query and API integrity

Abhishek Singh (Prismo Systems)
Ramesh Mani (Prismo Systems)

Panel: Where is threat intelligence headed?

Derek Manky (Fortinet)
Samir Mody (K7 Computing)
Heather King (CTA)
Warren Mercer (Cisco Talos)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.