Researchers say a suspected Chinese advanced persistent threat actor (APT) targets the Russian defense sector with a previously undocumented backdoor malware.
The malware is dubbed PortDoor the Cybereason Nocturnus Team. The researchers have seen that cybercriminals target the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy.
As the initial step of the attack, the attackers sent a phishing email to a general director named Igor Vladimirovich.
At the initial stage, they used RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder, a tool several Chinese APTs have used before, such as Tick, Tonto Team, and TA428. This is one of the reasons why researchers believe Chinese cybercriminals are behind the attack.
The RoyalRoad tool generates weaponized RTF documents to exploit flaws in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802).
RoyalRoad is not the only evidence that shows Chinese hackers’ involvement:
“The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis.
In the attacks, when the malicious RTF document was opened, the RoyalRoad tool fetched the PortDoor sample, which researchers said was carefully obfuscated. Its functionalities include the delivery of additional payloads, ability to do reconnaissance, target profiling, process manipulation, privilege escalation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration, and more.
The backdoor decrypts the strings using a hardcoded 0xfe XOR key to unpack a command-and-control (C2) server address, a victim identifier, and some other information, according to the researchers.
After the malware establishes a C2 connection to transfer data using TCP over raw sockets or via HTTPS with proxy support, PortDoor can perform privilege escalation by stealing explorer.exe tokens. The malware can gather basic system info and exfiltrate it to the C2, after which it waits for further instructions from its operators.
