Chinese Group Apparently Targeted Russian Defense ContractorCybereason: Attack Used Previously Undocumented PortDoor Malware
An attack group, likely based in China, recently conducted a spear-phishing attack against a defense contractor that develops nuclear submarine technology for the Russian Navy, according to the security firm Cybereason.
The campaign used a previously undocumented malware variant called PortDoor, which leverages a series of obfuscation techniques to help maintain persistence within a compromised network and devices, the report notes.
Once planted within a network or device, PortDoor can conduct reconnaissance, target specific users, deliver additional payloads, create privilege escalation, evade antivirus programs and encrypt and exfiltrate data and files, the researchers say.
The attack Cybereason investigated used PortDoor to target the Rubin Central Design Bureau for Marine Engineering in St. Petersburg, a contractor that's involved in providing technology and designs for Russia's nuclear submarine fleet. The researchers say they did not determine if the attackers successfully accessed data.
The attack began with a spear-phishing email sent to Igor Vladimirovich, an executive at the Rubin Central Design Bureau, according to the report. The message contained an attached file portrayed as containing the designs for an autonomous underwater vehicle but that actually contained malicious code that could download the PortDoor malware.
The rich text file attachment was created and weaponized with an exploit builder called RoyalRoad, which is used by several attack groups that have ties to China, including Tick, Tonto Team, TA428, Goblin Panda and Rancor, the Cybereason researchers say (see: Hacking Group Targets European Banks, Military).
The updated version of the RoyalRoad exploit builder used during this attack takes advantage of several vulnerabilities in Microsoft Equation Editor. The researchers found that once the attachment is opened, the malware drops an encoded file called "e.o." that can then deliver a secondary payload, according to the report.
"Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder," according to the Cybereason report. "This technique is used by various actors to bypass detection of automatic execution persistence, since Word must be relaunched in order to trigger the add-in file, making the persistence mechanism less 'noisy.'"
The secondary payload that RoyalRoad delivered is the PortDoor malware, a backdoor that attempts to make contact with a command-and-control server once it's installed, the report notes.
Once the connection to the command-and-control server is established, data and information can be sent to the attack group using TCP over raw sockets or through HTTPS with the help of a proxy server. PortDoor can also escalate privileges within the compromised network by stealing explorer.exe tokens, according to the report.
The PortDoor malware can then gather information about a device and use AES-based encryption to send that data back to the attackers. The researchers also note the backdoor uses a technique called dynamic API resolving to avoid detection.
"The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports," according to the report.
While the Cybereason report notes that several Chinese attack groups are known to use the RoyalRoad exploit builder, the researchers could not determine which group was behind the attack against the Russian defense company because the PortDoor malware did not contain code similar to other malware used by these groups.
The researchers note, however, that the version of RoyalRoad used in this attack had been previously deployed by three groups - Tonto Team, TA428 and Rancor - and that at least two of these have previously shown interest in targeting Russian organizations.
"Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically, attacking research and defense-related targets," Cybereason says. "When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents."
The Cybereason researchers also note that an unknown or undocumented attack group could also have created and deployed PortDoor.