Chinese hackers recently targeted a general director at the Rubin Design Bureau, a Russian defence contractor that designs nuclear submarines for the Russian Navy, using the PortDoor malware delivered via spear-phishing emails.
According to researchers at Cybereason, the PortDoor malware was developed by a threat actor likely operating on behalf of Chinese state-sponsored interests and is being delivered through the RoyalRoad weaponizer, an attack tool frequently used by China-based threat actors to attack high-value targets.
PortDoor malware, the researchers said, is designed with obfuscation and persistence in mind and features multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
The use of the RoyalRoad weaponizer, the social engineering style, the infection vector, and similarities between the PotDoor malware and other known Chinese APT malware make it clear that the spear-phishing operation is being conducted by or on behalf of a Chinese state-sponsored hacker group, Cybereason said.
The weaponizer has previously been used by Chinese hacker groups such as Tick, Tonto Team, TA428, Goblin Panda, and Rancor. It weaponizes RTF documents that drop an encoded file named “8.t”, which, once decoded, delivers a variety of malware based on hackers' objectives.
In this particular case, a general director at the Rubin Design Bureau, Russia's largest submarine design centre that has designed more than two-thirds of all nuclear submarines in the Russian Navy, was sent a spear-phishing email by hackers that contained a weaponized RTF document. The document appeared to contain the schematics of an autonomous underwater vehicle and was timestomped to 2007 to avoid detection.
According to researchers who discovered and analyzed the weaponized RTF document, the document drops a Microsoft Word add-in file when it is opened and executed, thereby bypassing detection of automatic execution persistence. The dropper payload, named winlog.wll, features the following capabilities:
- Gathering reconnaissance and profiling of the victim’s machine
- Receiving commands and downloading additional payloads from the C2 server
- Communicating with the C2 server using raw socket as well as HTTP over port 443 with proxy authentication support
- Privilege escalation and process manipulation
- Dynamic API resolving for static detection evasion
- One byte XOR encryption of sensitive data and configuration strings
- The collected information is AES-encrypted before it is sent to the C2 server
Once it infiltrates a system, the PortDoor malware establishes communications with a C2 server, waits for additional commands to execute, and uses AES to encrypt the stolen PC information data before routing it to the C2 server. The malware also hides most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports, Cybereason said.
"RoyalRoad has been one of the most used RTF weaponizers in the Chinese threat actors sphere in recent years. It is mostly observed in the initial compromise phase of targeted attacks where spear-phishing is used to lure victims into opening malicious documents which in turn exploit Microsoft Equation Editor vulnerabilities to drop different malware.
"Both the Tonto Team and TA428 threat actors have been observed attacking Russian organisations in the past, and more specifically attacking research and defense related targets. For example, it was previously reported that Tonto Team is known to have attacked Russian organizations in the past using the Bisonal malware.
"When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organisations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents," the firm added.