A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.
The phishing
attack, which singled out a general director working at the Rubin Design
Bureau, leveraged the infamous "Royal Road" Rich Text Format (RTF)
weaponizer to deliver a previously undocumented Windows backdoor dubbed "PortDoor," according to Cybereason's Nocturnus threat
intelligence team.
"Portdoor
has multiple functionalities, including the ability to do reconnaissance,
target profiling, delivery of additional payloads, privilege escalation,
process manipulation static detection antivirus evasion, one-byte XOR
encryption, AES-encrypted data exfiltration and more," the researchers said in a write-up on Friday.
Rubin Design Bureau is
a submarine design center located in Saint Petersburg, accounting for the
design of over 85% of submarines in the Soviet and Russian Navy since its
origins in 1901, including several generations of strategic missile cruiser
submarines.
Over the years, Royal
Road has earned its place as a tool of choice among an array of Chinese threat actors
such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for
exploiting multiple flaws in Microsoft's Equation Editor (CVE-2017-11882, CVE-2018-0798, and
CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted
spear-phishing campaigns that utilize malicious RTF documents to deliver custom
malware to unsuspecting high-value targets.
This newly discovered attack is no different, with the adversary
using a spear-phishing email addressed to the submarine design firm as an
initial infection vector. This email comes embedded with a malware-laced
document, which, when opened, drops an encoded file called "e.o" to
fetch the PortDoor implant. The encoded payload dropped by previous versions of
Royal Road typically go by the name of "8.t," implying a new variant
of the weaponizer in use.
Said to be engineered with obfuscation and persistence in mind,
PortDoor runs the backdoor gamut with a wide range of features that allow it to
profile the victim machine, escalate privileges, download, and execute
arbitrary payloads received from an attacker-controlled server, and export the
results back to the server.
"The infection vector, social engineering style, use of
RoyalRoad against similar targets, and other similarities between the newly
discovered backdoor sample and other known Chinese APT malware all bear the
hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,"
the researchers said.
Comments
Post a Comment