New backdoor attack by a Chinese APT group targets the Russian defense sector
The Cybereason Nocturnus team has been following the recent developments of the RoyalRoad Tool, also known as the 8.t Dropper/RTF Exploit Builder. Over the years, this tool has become part of the arsenal of various Chinese threat actors such as Tick, Tonto Team, and TA428, who regularly use RoyalRoad to launch spear-phishing attacks on high-profile targets.
Analyzing newly discovered RoyalRoad samples observed in the wild, the Nocturnus team uncovered one that not only exhibits anomalous characteristics, but also delivers PortDoor malware, a previously undocumented backdoor developed by a threat actor, who is likely to be working on behalf of Chinese state interests.
According to the examined content of the phishing lure, the target of the attack was a director general of the Rubin Design Bureau, a Russia-based defense contractor that develops nuclear submarines for the Russian Navy.
RoyalRoad variants are under development: The examined variant of the RoyalRoad system changes its encrypted payload from the well-known file “8.t” to a new file name: “eo”. Other new variants are also likely to be in development.
Previously undocumented backdoors: RoyalRoad's newly discovered RTF variant contains a disguised backdoor called PortDoor designed for obfuscation and persistence.
Attack targets: The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian Defense Sector that develops submarines for the Russian Federation Navy.
Extensive Malware Features: PortDoor has multiple functionalities including reconnaissance capability, profiling, additional payload reloading, privilege escalation, process manipulation, static detection, anti-virus bypass, one-byte XOR encryption, AES-encrypted data disclosure and more.
The APT Group operates on behalf of Chinese state interests: The accumulated evidence such as the attack vector, the nature of the social engineering, the use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other well-known Chinese APT malware all point to a threat actor acting on behalf of Chinese state interests operates.
RoyalRoad is a tool that generates RTF documents that exploit the following vulnerabilities in Microsoft's Equation Editor: CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802. RoyalRoad is primarily used by threat actors believed to be operating on behalf of Chinese state interests (e.g. Tick, Tonto Team, TA428, Goblin Panda, Rancor).
RoyalRoad exhibits fairly consistent characteristics, and most of the RTF-armed documents typically drop an encrypted file called “8.t” which – once decrypted – can deliver a variety of payloads for different threat actors.
In this report a departure from the 'classic' RoyalRoad features is discussed. The name of the dropped object has been changed from the very consistent naming convention “8.t” to the new filename “eo”.
Once the RTF document is opened and executed, a Microsoft Word add-in file is placed in the Microsoft Word startup folder. This technique is used to bypass automatic execution detection. Word then has to be restarted to trigger the add-in file, making it less noticeable.
Contrary to the usual “8.t” filename observed with most RoyalRoad payloads, this new RoyalRoad variant uses the “eo” naming convention for the temporary file payload, which will eventually end up as “winlog.wll” in the MS Word startup folder is written:
The payload named “winlog.wll” is a previously undocumented backdoor. Their main functions include:
The DLL itself has several export functions ranging from DllEntry00 to DllEntry33. Most of these exports just return sleep loops, a likely anti-analysis measure. The main functionality is in the DllEntry28 and DllEntry18:
To get the configuration information, the backdoor first decrypts the strings with a hard-coded 0xfe XOR key:
This can be used as an additional identifier for the target and also as a placeholder for the previous verification of this malware.
The malware then tries to establish a connection with the C&C that supports the transmission of data using TCP over raw sockets or HTTPS using the CONNECT method. In addition, the backdoor appears to be proxy-aware and distinguishes between two HTTP response types: “200” response and “407” (requires proxy authentication):
PortDoor also has privilege gain ability by using Access Token Theft technique to steal and execute explorer.exe token.
Before the information is sent to the C&C server, the backdoor uses AES to encrypt the stolen PC information data:
0x2b
Another anti-parsing technique used by the PortDoor backdoor is dynamic API resolution. The backdoor is able to hide most of its main functions and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports:
At the time of this analysis, not enough information had been collected to assign the newly discovered backdoor to a known group with 100% certainty. However, there are some well-known Chinese APT groups that act similar to the attackers.
Based on previous work by nao_sec, the Nocturnus team was able to determine that the RoyalRoad v7 RTF file discussed in this blog has a header encoding of “b0747746”. This has previously been observed in relation to the Tonto Team, TA428 and Rancor:
Both the Tonto team and TA428 have been observed attacking Russian organizations in the past, specifically targeting research and defense targets. For example, it has been previously reported that the Tonto team has targeted Russian organizations with the Bisonal malware in the past.
Comparing the spear phishing emails and malicious documents in these attacks to previously investigated phishing emails and decoy documents used by the Tonto team to attack Russian organizations, there are certain similarities in linguistic and visual style, that the attackers use in the phishing emails and documents.
The newly discovered backdoor does not appear to share any significant code similarities with previously known malware used by the above groups. Aside from anecdotal similarities, which are quite common with backdoors, which leads us to conclude that this is not a variant of a known malware, but is in fact novel malware that was only recently developed.
Finally, we are also aware that other groups, known or not yet known, could be behind the attack and development of the PortDoor backdoor. We hope that over time and with more evidence collected, the attribution can become more concrete.
RoyalRoad has been one of the most widely used RTF attacks among Chinese threat actors in recent years. RoyalRoad is mostly observed in the initial compromise phase of targeted attacks, where victims are tricked into opening documents using spear phishing, which in turn exploit vulnerabilities in Microsoft Equation Editor to install various malware.
In this report we have discussed recent changes to the RoyalRoad System that deviate from some of its well-documented and predictable indicators. This is possibly an indication that the threat actors deploying it are trying to avoid low hanging fruits.
We also reported the discovery of the novel PortDoor backdoor, a previously undocumented and stealthy tool that allows attackers access to their targets' machines to gather information and install additional payloads.
At the time of writing, it's still unclear which threat actors are behind the new backdoor, but we've identified two potential suspects who fit the profile. There is currently not enough information available to prove this hypothesis with any degree of certainty.
