The RoyalRoad tool was seen to obtain the unique PortDoor sample once the malicious RTF document was opened, which researchers say was designed with stealth in mind. It has multiple functionalities including the ability to perform reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, exfiltration of AES-encrypted data, and more.
How the PortDoor attack was carried out
Hackers, suspected of working for the Chinese government, have used a new malware called PortDoor to infiltrate the systems of an engineering company that designs submarines for the Russian Navy. They used a spear-phishing email specifically crafted to entice the CEO of the company to open a malicious document.
The attack started with shipowner RoyalRoad, also known as the 8.t Dropper / RTF exploit generator, a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates armed RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The use of RoyalRoad is one of the reasons the company believes that Chinese cybercriminals are behind the attack. Accumulating evidence, such as infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the stamp of an actor from threats operating on behalf of Chinese state-sponsored interests.
The threat actor was targeting the Central Engineering Design Bureau, Marina Rubin, in St. Petersburg, a defense contractor that designs most of Russia’s nuclear submarines, Cybereason Nocturnus threat researchers discovered that the attacker lured the recipient to open the malicious document with an overview of an autonomous underwater vehicle.
See also:
Vollgar – Malware that is launched with brute force
What variants of Trojans can we find on the Internet?
[…] also:PortDoor, the backdoor malware targeting RussiaXcodeSpy new malicious project against […]