Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponiser that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defence contractor.
Spear-phishing attack targets Russian defence contractor
In this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defence contractor that designs nuclear submarines for the Russian Federation’s Navy.
The email used to deliver the initial infection vector was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design centre from the “Gidropribor” concern in St. Petersburg, a national research centre that designs underwater weapons.
How the RoyalRoad variant works
The research team defined RoyalRoad as a tool that generates weaponised RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor including CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. Microsoft’s Equation Editor was included in earlier versions of Word but was removed from all versions in the January 2018 Public Update because of security issues with its implementation.
The RoyalRoad weaponiser is also known as the 8.t Dropper/RTF exploit builder. The variant analysed had altered its encoded payload from the known “8.t” file to a new filename: “e.o”.
Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word start-up folder, a technique used to bypass detection of automatic execution persistence. The RTF is time-stamped to 2007, another technique used to go undetected.
This new variant drops the previously undocumented backdoor dubbed PortDoor, malware with multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, according to Cybereason Nocturnus. The researchers expect more new variants to be under development.
The researchers did not have enough information to attribute this backdoor, but they said: “there are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analysed in this blog.” Specifically, it contained a header encoding previously used by the Tonto Team, TA428 and Rancor threat actors.