A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.
The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.
The attack began with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder – a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.
“The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis, published Friday.
A Quiet Espionage Malware
The RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
Once executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.
The malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp” and writes the GetTickCount value multiplied by a random number to it: “This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,” researchers explained.
After that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS – with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.
Then, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.
The C2 commands are myriad:
- List running processes
- Open process
- Get free space in logical drives
- Files enumeration
- Delete file
- Move file
- Create process with a hidden window
- Open file for simultaneous operations
- Write to file
- Close handle
- Open file and write directly to disk
- Look for the “Kr*^j4” string
- Create pipe, copy data from it and AES encrypt
- Write data to file, append with “\n”
- Write data to file, append with “exit\n”
PortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.
“The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,” researchers explained.
Chinese APTs in the Cyberattack Mix – Probably
Cybereason’s analysis did not yield up a specific Chinese APT actor who would likely be responsible for the attack. However, the researchers said they could make some educated guesses.
“There are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed,” according to the report.
For instance, the RTF file used in the attack was weaponized with RoyalRoad v7, which was previously observed being used by the Tonto Team, TA428 and Rancor APTs.
“Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets,” according to the analysis. “When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.”
That said, the PortDoor malware doesn’t share significant code similarities with previously known malware used by those groups – leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.
“Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor,” researchers concluded. “We hope that as time goes by, and with more evidence gathered, the attribution could be more concrete.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!