PortDoor - New Chinese APT backdoor attack

New backdoor attack by a Chinese APT group targets the Russian defense sector

Table of Contents

The Cybereason Nocturnus Team

The Cybereason Nocturnus team has been following the recent developments of the RoyalRoad Tool, also known as the 8.t Dropper/RTF Exploit Builder. Over the years, this tool has become part of the arsenal of various Chinese threat actors such as Tick, Tonto Team, and TA428, who regularly use RoyalRoad to launch spear-phishing attacks on high-profile targets.

Analyzing newly discovered RoyalRoad samples observed in the wild, the Nocturnus team uncovered one that not only exhibits anomalous characteristics, but also delivers PortDoor malware, a previously undocumented backdoor developed by a threat actor, who is likely to be working on behalf of Chinese state interests.

According to the examined content of the phishing lure, the target of the attack was a director general of the Rubin Design Bureau, a Russia-based defense contractor that develops nuclear submarines for the Russian Navy.

Got a security incident?
Trust our certified IT forensic experts in the event of anomalies.
Inquire now

Key Findings

RoyalRoad variants are under development: The examined variant of the RoyalRoad system changes its encrypted payload from the well-known file “8.t” to a new file name: “eo”. Other new variants are also likely to be in development.

Previously undocumented backdoors: RoyalRoad's newly discovered RTF variant contains a disguised backdoor called PortDoor designed for obfuscation and persistence.

Attack targets: The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian Defense Sector that develops submarines for the Russian Federation Navy.

Extensive Malware Features: PortDoor has multiple functionalities including reconnaissance capability, profiling, additional payload reloading, privilege escalation, process manipulation, static detection, anti-virus bypass, one-byte XOR encryption, AES-encrypted data disclosure and more.

The APT Group operates on behalf of Chinese state interests: The accumulated evidence such as the attack vector, the nature of the social engineering, the use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other well-known Chinese APT malware all point to a threat actor acting on behalf of Chinese state interests operates.

Analysis of the spear phishing attack

Introduction to Royalroad

RoyalRoad is a tool that generates RTF documents that exploit the following vulnerabilities in Microsoft's Equation Editor: CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802. RoyalRoad is primarily used by threat actors believed to be operating on behalf of Chinese state interests (e.g. Tick, Tonto Team, TA428, Goblin Panda, Rancor).

RoyalRoad exhibits fairly consistent characteristics, and most of the RTF-armed documents typically drop an encrypted file called “8.t” which – once decrypted – can deliver a variety of payloads for different threat actors.

In this report a departure from the 'classic' RoyalRoad features is discussed. The name of the dropped object has been changed from the very consistent naming convention “8.t” to the new filename “eo”.

Spear phishing email delivers RoyalRoad RTF

The initial attack vector is a spear phishing email addressed to “…General Director Igor Vladimirovich” at the Rubin Design Bureau, a St. Petersburg-based “Gidropribor” concern submarine research center that develops underwater weapons such as submarines. Boats designs:
Royal Road
The email attachment is a malware-infected RTF document tagged with a RoyalRoad payload, the content of which describes a general view of an autonomous underwater vehicle:
RoyalRoad1
The creation date of the RTF has been pushed back to 2007, presumably to thwart investigation or discovery efforts. Time shifting is a well-known technique used by threat actors to try to stay under the radar:
History

Once the RTF document is opened and executed, a Microsoft Word add-in file is placed in the Microsoft Word startup folder. This technique is used to bypass automatic execution detection. Word then has to be restarted to trigger the add-in file, making it less noticeable.

Contrary to the usual “8.t” filename observed with most RoyalRoad payloads, this new RoyalRoad variant uses the “eo” naming convention for the temporary file payload, which will eventually end up as “winlog.wll” in the MS Word startup folder is written:

portdoor11
The execution of the RTF file and files stored on the hard disk
detail_portdoor

Cybereason detection of the PortDoor backdoor

Portdoor backdoor analysis

The payload named “winlog.wll” is a previously undocumented backdoor. Their main functions include:

  • Gathering information and creating profiles on the victim's machine
  • Receive commands and download additional payloads from the C&C server
  • communication with the C&C server via raw socket and HTTP over port 443 with support for proxy authentication,
  • privilege escalation and process manipulation,
  • Dynamic API resolution to bypass static detection
  • One-byte XOR encryption of sensitive data and configuration strings
  • The information collected is AES encrypted before being sent to the C&C server

Detailed analysis

The DLL itself has several export functions ranging from DllEntry00 to DllEntry33. Most of these exports just return sleep loops, a likely anti-analysis measure. The main functionality is in the DllEntry28 and DllEntry18:

DLL exports
PortDoor backdoor DLL exports

To get the configuration information, the backdoor first decrypts the strings with a hard-coded 0xfe XOR key:

strings
String decryption routine
The decrypted data contains the following configuration information:
Storage
The decrypted strings in memory
decrypted string
Purpose
45.63.27[.]162
C&C address
Kr*^j4
N/A
B-JDUN
Victim identifier
58097616.tmp
Data file name written to %temp%
0987654321 fedcba
AES-CBC key
During the analysis, communication with the C&C was unsuccessful, so some information from the analysis is incomplete. Following the debugger presence check and string decoding, the malware creates an additional file in %temp% with the hard-coded name “58097616.tmp” and writes the GetTickCount value multiplied by a random number to this file:
geschrieben

This can be used as an additional identifier for the target and also as a placeholder for the previous verification of this malware.

The malware then tries to establish a connection with the C&C that supports the transmission of data using TCP over raw sockets or HTTPS using the CONNECT method. In addition, the backdoor appears to be proxy-aware and distinguishes between two HTTP response types: “200” response and “407” (requires proxy authentication):

HTTP header
Hard-coded HTTP headers with proxy support

PortDoor also has privilege gain ability by using Access Token Theft technique to steal and execute explorer.exe token.

Proxy support
Access Token Theft from explorer.exe
Finally, the malware waits for further instructions from the C&C to continue executing. This is done via the following switch case:
Some of the methods implemented in the switch case
For example, the get_pc_info() case collects basic PC information to be sent to the C&C, using the string “B-JDUN” most likely as a unique identifier for the campaign/victim:
infected
The collected information about the infected PC

Before the information is sent to the C&C server, the backdoor uses AES to encrypt the stolen PC information data:

AES encrypted
AES encrypted information collected on PC
The main functionality of the backdoor C&C command is summarized in the table below:
ase
Action
0x08
Get PC info, concat with the “B-JDUN” identifier
0x30
List running processes
0x31
Openprocess
0x41
Get free space in logical drives
0x42
File enumeration
0x43
Delete file
0x44
Move file
0x45
Move file
0x28
Open file for simultaneous operations
0x29
Write to file
0x2a
close handle

0x2b

Open file and write directly to disk
0x01
Look for the “Kr*^j4” string
0x10
Create pipe, copy data from it and AES encrypt
0x11
Write data to file, append with “\n”
0x12
Write data to file, append with “\n”

Another anti-parsing technique used by the PortDoor backdoor is dynamic API resolution. The backdoor is able to hide most of its main functions and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports:

Resolution
Dynamic API resolution
The execution of the PortDoor Backdoor DLL is detected by the Cybereason Defense Platform:
portdoor
PortDoor Backdoor DLL as detected by Cybereason

The assignment

At the time of this analysis, not enough information had been collected to assign the newly discovered backdoor to a known group with 100% certainty. However, there are some well-known Chinese APT groups that act similar to the attackers.

Based on previous work by nao_sec, the Nocturnus team was able to determine that the RoyalRoad v7 RTF file discussed in this blog has a header encoding of “b0747746”. This has previously been observed in relation to the Tonto Team, TA428 and Rancor:

Credit
RoyalRoad Attribution Matrix. Credit: nao_sec

Both the Tonto team and TA428 have been observed attacking Russian organizations in the past, specifically targeting research and defense targets. For example, it has been previously reported that the Tonto team has targeted Russian organizations with the Bisonal malware in the past.

Comparing the spear phishing emails and malicious documents in these attacks to previously investigated phishing emails and decoy documents used by the Tonto team to attack Russian organizations, there are certain similarities in linguistic and visual style, that the attackers use in the phishing emails and documents.

The newly discovered backdoor does not appear to share any significant code similarities with previously known malware used by the above groups. Aside from anecdotal similarities, which are quite common with backdoors, which leads us to conclude that this is not a variant of a known malware, but is in fact novel malware that was only recently developed.

Finally, we are also aware that other groups, known or not yet known, could be behind the attack and development of the PortDoor backdoor. We hope that over time and with more evidence collected, the attribution can become more concrete.

Conclusion

RoyalRoad has been one of the most widely used RTF attacks among Chinese threat actors in recent years. RoyalRoad is mostly observed in the initial compromise phase of targeted attacks, where victims are tricked into opening documents using spear phishing, which in turn exploit vulnerabilities in Microsoft Equation Editor to install various malware.

In this report we have discussed recent changes to the RoyalRoad System that deviate from some of its well-documented and predictable indicators. This is possibly an indication that the threat actors deploying it are trying to avoid low hanging fruits.
We also reported the discovery of the novel PortDoor backdoor, a previously undocumented and stealthy tool that allows attackers access to their targets' machines to gather information and install additional payloads.

At the time of writing, it's still unclear which threat actors are behind the new backdoor, but we've identified two potential suspects who fit the profile. There is currently not enough information available to prove this hypothesis with any degree of certainty.

DIVIDE
OTHER CONTRIBUTIONS

Table of Contents