4 May 2021

China-linked APT deployed new backdoor in attacks on Russian defence contractor


China-linked APT deployed new backdoor in attacks on Russian defence contractor

A threat actor believed to be working on behalf the Chinese government has been observed deploying a new undocumented backdoor in attacks targeting a Russian defence contractor that designs nuclear submarines for the Russian Federation’s Navy.

The backdoor, dubbed PortDoor, has been discovered by researchers at Cybereason's Nocturnus threat intelligence team while analyzing a new sample of RoyalRoad weaponizer, (aka 8.t Dropper/RTF exploit builder), a tool that generates weaponized RTF documents that exploit a number of vulnerabilities (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802) in Microsoft’s Equation Editor.

RoyalRoad was previously observed in spear-phishing attacks carried out by several Chinese-related threat actors, including Tick, Tonto Team and TA428, against high-value targets.

“Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers wrote in a report.

This recent campaign specifically targeted the Saint Petersburg-based Rubin Design Bureau, which is a part of the Russian defense sector designing submarines for the Russian Federation’s Navy.

The attack started with a phishing email targeting a general director working at the Rubin Design Bureau, which contained a malicious Rich Text File (RTF) document that included descriptions of an autonomous underwater vehicle.

“Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder. This technique is used by various actors to bypass detection of automatic execution persistence, since Word must be relaunched in order to trigger the add-in file, making the persistence mechanism less “noisy”,” Cybereason explained.

The researchers said that the campaign shares similarities with a few Chinese APT groups and they identified two potential suspects that fit the profile, however, there “is not enough information available to prove the stated hypothesis with a high level of certainty.”

Back to the list

Latest Posts

One of the US’ largest pipelines halts operations after a ransomware attack

One of the US’ largest pipelines halts operations after a ransomware attack

The "DarkSide" criminal group is believed to be behind the ransomware attack.
10 May 2021
TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

TunnelSnake cyber-espionage campaign deploys unique rootkit to backdoor Windows systems

The attacks were highly targeted and delivered to less than 10 victims around the world, including large diplomatic organizations in South-East Asia and Africa.
10 May 2021
A bio research institute got infected with Ryuk ransomware because of pirated software

A bio research institute got infected with Ryuk ransomware because of pirated software

The student who wouldn’t pay for licensed software unwittingly opened a door to the ransomware.
10 May 2021