How are hackers using RTF files to infect victims and what can my enterprise do to stay protected?
Rich Text Format or RTF files have long been considered safer file types to share with others. There have been fewer vulnerabilities found in RTF than in other file formats because RTF doesn't have the extensive functionality to attack in an exploit as .doc files have. It does, however, have significantly more features than raw text files, making it attractive to enterprises.
TrendMicro posted a blog describing a social-engineering attack that gets a user to click on a malicious document embedded in an RTF file. (The RTF file format allows other files to be embedded in it, and users can manually open the file directly from the WordPad application in Windows.) TrendMicro reported that malicious files contained instructions in Portuguese or German to open the embedded file to view a receipt which, in actuality, is a malicious CPL or control panel file (used for displaying icons in the control panel) that downloads the Zbot/Zeus malware. This is an uncommon way for the malware to spread.
Note that there are very few legitimate reasons to embed files in RTF files, meaning that any RTF file with an embedded file should be considered suspicious. Enterprises can best protect their endpoints by using anti-spam or antimalware software that inspects email and/or network traffic, or by leveraging devices that use deep inspection to identify embedded files and quarantine them.
Enterprises could also keep endpoints safe by converting all RTF attachments to images or other file formats that don't contain these vulnerabilities; however, this could negatively impact file sharing capabilities. RTF files could also be outright blocked because they're much less frequently used than .doc or PDF files, but this wouldn't stop malware from entering via other file attachments. Enterprises could also consider blocking all file attachments from external email addresses, but this dramatic response could also negatively impact business functionality. Given these tradeoffs, it may be most reliable to rely on endpoint antimalware software or network inspection devices like intrusion prevention systems, antimalware network appliances, next-generation firewalls, etc.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Attackers can use the SandJacking attack to access sandboxed data on iOS devices. Expert Nick Lewis explains how to protect your enterprise from this...continue reading
Malicious Windows BITS tasks set up by attackers can reinfect systems even after the malware has been removed. Expert Nick Lewis explains how to ...continue reading
ZCryptor ransomware can self-replicate through autorun files placed on removable storage devices. Expert Nick Lewis explains how your enterprise can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.