01 May 21, 09:41
Quote:A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.
The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.
The attack began with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder – a tool that Cybereason said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428. RoyalRoad generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The use of RoyalRoad is one of the reasons the company believes Chinese cybercriminals to be behind the attack.
“The accumulated evidence, such as the infection vector, social-engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware, all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” according to a Cybereason analysis, published Friday.
Read more: PortDoor Espionage Malware Takes Aim at Russian Defense Sector | Threatpost