Reading Time: 2 minutes

A new Chinese Malware targets Russia’s largest nuclear submarine designer. The Chinese state-sponsored hackers targeted the general director working at the Rubin Design Bureau. The bad actors were able to deliver “PortDoor” – an undocumented Windows backdoor the infamous “Royal Road” Rich Text Format (RTF) weaponized.

According to Cybereason’s Nocturnus threat intelligence team, the Portdoor comes with multiple functionalities. This includes the ability to reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection, antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration, and more.

Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over 85% of submarines in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines

Royal Road has been the top choice when it comes to exploiting various flaws in Microsoft’s Equation Editor such as (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) since late 2018. Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team are some of the infamous groups using these tactics. They carry out spear-phishing campaigns that use malicious RTF documents to deliver custom malware to unsuspecting high-value targets

Content of the weaponized RTF document
Content of the weaponized RTF document

The latest attack is almost identical where a spear-phishing email sent to the submarine design firm is sent as an initial infection vector. It is embedded with a malware-infested document when on opening drops an encoded file called “e.o” which fetches the PortDoor implant. The earlier versions of the Royal Road go by the name “8.t” suggests the new variant of the weaponized in use.

PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine as it is engineered to work keeping obfuscation and persistence in mind. It further escalates privileges, downloads and executes arbitrary payloads received from an attacker-controlled server, and sends back the results to the server.

According to the researchers it uses RoyalRoad against similar targets. While other similarities between the newly discovered backdoor sample and other known Chinese APT malware bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests.