Researchers at Cybereason say they have discovered an undocumented malware targeting the Russian military sector and bearing the hallmarks of originating in China if not being Chinese state sponsored.
The researchers had been tracking malicious RTFs generated by the RoyalRoad weaponizer (aka the 8.t Dropper/RTF exploit builder), which is known to be often used by Chinese state actors. One sample was found dropping previously unknown malware, that the Cybereason researchers have now called PortDoor.
According to the phishing lure associated with the malicious RTF, the target was a general director working at the Rubin Design Bureau. This is a Russia-based defense contractor that designs nuclear submarines for the Russian Navy.
Cybereason cannot yet attribute the attack, and the malware used, to any specific actor, but notes that the RTF “bears the indicative ‘b0747746’ header encoding and was previously observed being used by the Tonto Team (aka CactusPete), TA428 and Rancor threat actors.”
Both Tonto and TA428 have been seen attacking Russian research and defense-related targets. Furthermore, there are linguistic and visual similarities in the associated phishing emails between the PortDoor attack and earlier Tonto Team attacks against Russian organizations.
However, the researchers note that PortDoor “does not seem to share significant code similarities with previously known malware used by the abovementioned groups… it is not a variant of a known malware, but is in fact novel malware that was developed recently.” Nevertheless, Cybereason believes that PortDoor in this case is operated by an APT group operating on behalf of Chinese state-sponsored interests.
PortDoor is a multi-faceted backdoor able to conduct espionage, perform target profiling, escalate privilege, evade antivirus, perform one-byte XOR encryption, deliver additional payloads, and do AES-encrypted data exfiltration.
The infection process in the discovered attack was a spear-phishing email with a RoyalRoad-generated RTF weaponized with the PortDoor backdoor. The email was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg. The malicious RTF attachment provided an image of an autonomous underwater vehicle.
Image shows content of the weaponized RTF document (credit Cybereason)
If the document is opened, an MS Word add-in file is dropped to the Word startup folder. PortDoor decrypts its initial configuration information, containing the C2 address, a victim identifier and an AES-CBC key.
Cybereason was unable to communicate with the C2 server, further clouding attribution, and making it impossible to know what might be planned in any additional downloaded payloads.
Following a debugger presence check, PortDoor creates a file called ‘58097616.tmp’ in %temp%, which is likely used as an additional identifier for the target, and/or an indication of the previous presence of the malware.
Privilege escalation can be achieved by using the Access Token Theft technique to steal explorer.exe tokens and run under a privileged security context.
Once established, PortDoor waits for further instructions from the C2 server. These would be instructions like ‘enumerate_files’ or ‘get_pc_info’. The latter gathers basic PC information to be sent to the C2. Just before any data is sent, however, PortDoor uses AES to encrypt the stolen data.
Other command functionality includes ‘list running processes’,’ open process’, ‘get free space on logical drives’, ‘delete file’, ‘move file’, ‘create process with a hidden window’, ‘open file for simultaneous operations’, ‘write to file’, ‘close handle’, ‘open file and write directly to disk’, ‘look out for ‘KR*^j4’ string’, ‘create pipe’, ‘copy data from it and AES encrypt’, ‘write data to file and append with ’n’’, and ‘write data to file and append with ‘exitn’’.
Communication with the C2 server supports the transfer of data using TCP over raw sockets, or HTTPS using the CONNECT method.
Cybereason is not sufficiently confident to attribute PortDoor to any known group. However, it does call PortDoor an APT – an epithet usually but not necessarily exclusively applied to state-sponsored actors and their malware. Certain clues, however, point to the Rancor Group. It isn’t clear whether Rancor is a state hacking team or just affiliated with the state; but the target in this instance would clearly be of interest to the Chinese government.