China-linked APT uses a new backdoor in attacks at Russian defense contractor

A China-linked cyberespionage group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

Cybereason researchers reported that a China-linked APT group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

The state-sponsored hackers sent spear-phishing messages to a general director working at the Rubin Design Bureau, in Saint Petersburg, which is one of three main Russian centers of submarine design. Rubin is the largest among the three Soviet/Russian submarine designer centers, having designed more than two-thirds of all nuclear submarines in the Russian Navy.

The spear-phishing messages used a malicious Rich Text File (RTF) document that included descriptions of an autonomous underwater vehicle.

The RTF documents were uncovered by Cybereason Nocturnus Team while investigating recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. This tool was widely adopted by several China-linked threat actors, including Tick, Tonto Team and TA428.

The weaponized RTF documents generated with the exploit builder are able to trigger the CVE-2017-11882, CVE-2018-0798, CVE-2018-0802 vulnerabilities in Microsoft’s Equation Editor.

The documents were used to deliver a previously undocumented backdoor, tracked as PortDoor.

“The newly discovered RoyalRoad RTF variant examined also drops a previously undocumented and stealthy backdoor dubbed PortDoor which is designed with obfuscation and persistence in mind.” reads the analysis published by Cybereason. “The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian defense sector designing submarines for the Russian Federation’s Navy.”

The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration

The attribution of the cyber espionage campaign is based on similarities with TTPs associated with some Chinese APT groups.

Starting from an investigation conducted by nao_sec, Cybereason experts were able to determine that the RTF file employed in the attack against the Russian defense contractor was weaponized with RoyalRoad v7, which bears the indicative “b0747746” header encoding and was previously employed in attacks conducted by the Tonto Team, TA428 and Rancor threat actors,

Both Tonto Team and TA428 have been linked to attacks targeting Russian research and defense organizations.

“When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.” continues the report. “The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently.”

The report published by the experts also includes MITRE ATT&CK Matrix, researchers could contact the security firm for IoCs.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russian defense contractor)

[adrotate banner=”5″]

[adrotate banner=”13″]