Supposedly working for the Chinese government, a cybercriminal group attacked a Russian defence enterprise that develops nuclear submarines for the Russian Navy.
A phishing email sent by cybercriminals to the CEO of the St. Petersburg design bureau Rubin used the Royal Road RTF exploit tool to deliver a previously unknown Windows backdoor called PortDoor to the attacked system.
According to the specialists of the Nocturnus team of information security company Cybereason, PortDoor has wide functionality and is able to carry out reconnaissance, profile targets, deliver the additional payload, escalate privileges, bypass anti-virus software, use single-byte XOR encryption, extract data encrypted using the AES standard, etc. …
For many years, Royal Road has been the favourite tool of a number of Chinese hacker groups, in particular the Goblin Panda, Rancor Group, TA428, Tick and Tonto Team, who have used it in targeted phishing attacks since late 2018. Attackers exploit vulnerabilities in the Microsoft Equation Editor ( CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802 ) and use malicious RTF documents to deliver custom malware to unsuspecting victims’ systems.
The hackers adhered to the same tactics in the recent attack on the general director of the Rubin design bureau – the main vector of infection was phishing emails. However, while previous versions of Royal Road delivered an encrypted payload called “8.t”, this time the email contained a malicious document delivering an encrypted file called “eo” when opened to extract the PortDoor implant. That is, the attackers took advantage of new tools.
“The infection vector, social engineering style, the use of RoyalRoad in attacks against similar targets, and the similarities between the recently discovered backdoor and other known Chinese APT malware all point to attackers acting in China’s public interest,” the researchers said.
The Rubin Central Design Bureau for Marine Engineering is one of the leading Soviet and Russian enterprises in the design of submarines, both diesel-electric and nuclear.
See how to protect yourself here
Catch up on more stories here