A hacker believed to be working on behalf of Chinese state-sponsored interests was found targeting a Russia-based defense contractor that designs nuclear submarines for the naval arm of the Russian Armed Forces.
According to Cybereason’s Nocturnus threat intelligence team, the phishing attack, which selected a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor.”
The researchers stated that Portdoor has multiple functionalities such as the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over 85% of submarines in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.
Royal Road was the tool of choice among numerous Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. It could exploit multiple flaws in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018. The attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.
The newly discovered attack used a spear-phishing email addressed to the submarine design firm as an initial infection vector. This email comes embedded with a malware-laced document, which, when opened, drops an encoded file called “e.o” to fetch the PortDoor implant. The encoded payload dropped by previous versions of Royal Road has the name “8.t,” implying a new variant of the weaponizer in use.
PortDoor which has been designed with obfuscation and persistence in mind, runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.
The researchers stated that the infection vector, social engineering style, the use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware points to a threat actor operating on behalf of Chinese state-sponsored interests.
Image Credits : NewsBlock