Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Unknown Chinese APT Targets Russian Defense Sector

Researchers at Cybereason say they have discovered an undocumented malware targeting the Russian military sector and bearing the hallmarks of originating in China if not being Chinese state sponsored.

Researchers at Cybereason say they have discovered an undocumented malware targeting the Russian military sector and bearing the hallmarks of originating in China if not being Chinese state sponsored.

The researchers had been tracking malicious RTFs generated by the RoyalRoad weaponizer (aka the 8.t Dropper/RTF exploit builder), which is known to be often used by Chinese state actors. One sample was found dropping previously unknown malware, that the Cybereason researchers have now called PortDoor.

According to the phishing lure associated with the malicious RTF, the target was a general director working at the Rubin Design Bureau. This is a Russia-based defense contractor that designs nuclear submarines for the Russian Navy.

Cybereason cannot yet attribute the attack, and the malware used, to any specific actor, but notes that the RTF “bears the indicative ‘b0747746’ header encoding and was previously observed being used by the Tonto Team (aka CactusPete), TA428 and Rancor threat actors.”

Both Tonto and TA428 have been seen attacking Russian research and defense-related targets. Furthermore, there are linguistic and visual similarities in the associated phishing emails between the PortDoor attack and earlier Tonto Team attacks against Russian organizations.

[ RELATED: Chinese Cyberspies Target Military Organizations in Asia ]

However, the researchers note that PortDoor “does not seem to share significant code similarities with previously known malware used by the abovementioned groups… it is not a variant of a known malware, but is in fact novel malware that was developed recently.” Nevertheless, Cybereason believes that PortDoor in this case is operated by an APT group operating on behalf of Chinese state-sponsored interests.

PortDoor is a multi-faceted backdoor able to conduct espionage, perform target profiling, escalate privilege, evade antivirus, perform one-byte XOR encryption, deliver additional payloads, and do AES-encrypted data exfiltration.

The infection process in the discovered attack was a spear-phishing email with a RoyalRoad-generated RTF weaponized with the PortDoor backdoor. The email was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg. The malicious RTF attachment provided an image of an autonomous underwater vehicle.

Image shows content of the weaponized RTF document (credit Cybereason)

If the document is opened, an MS Word add-in file is dropped to the Word startup folder. PortDoor decrypts its initial configuration information, containing the C2 address, a victim identifier and an AES-CBC key.

Cybereason was unable to communicate with the C2 server, further clouding attribution, and making it impossible to know what might be planned in any additional downloaded payloads.

Following a debugger presence check, PortDoor creates a file called ‘58097616.tmp’ in %temp%, which is likely used as an additional identifier for the target, and/or an indication of the previous presence of the malware.

Privilege escalation can be achieved by using the Access Token Theft technique to steal explorer.exe tokens and run under a privileged security context.

Once established, PortDoor waits for further instructions from the C2 server. These would be instructions like ‘enumerate_files’ or ‘get_pc_info’. The latter gathers basic PC information to be sent to the C2. Just before any data is sent, however, PortDoor uses AES to encrypt the stolen data.

Other command functionality includes ‘list running processes’,’ open process’, ‘get free space on logical drives’, ‘delete file’, ‘move file’, ‘create process with a hidden window’, ‘open file for simultaneous operations’, ‘write to file’, ‘close handle’, ‘open file and write directly to disk’, ‘look out for ‘KR*^j4’ string’, ‘create pipe’, ‘copy data from it and AES encrypt’, ‘write data to file and append with ’n’’, and ‘write data to file and append with ‘exitn’’.

Communication with the C2 server supports the transfer of data using TCP over raw sockets, or HTTPS using the CONNECT method.

Cybereason is not sufficiently confident to attribute PortDoor to any known group. However, it does call PortDoor an APT – an epithet usually but not necessarily exclusively applied to state-sponsored actors and their malware. Certain clues, however, point to the Rancor Group. It isn’t clear whether Rancor is a state hacking team or just affiliated with the state; but the target in this instance would clearly be of interest to the Chinese government.

Related: State-Sponsored Hackers Supporting China’s Naval Modernization Efforts

Related: Multiple Chinese Groups Share the Same RTF Weaponizer

Related: Mysterious Chinese APT Linked to Multiple Central Asian Campaigns

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...