Cybereason has announced the discovery of PortDoor, a stealthy, undocumented malware developed by Chinese APT threat actors likely operating on behalf of Chinese state-sponsored interests and targeting Russia’s defense industry.
Cybereason discovered PortDoor while tracking recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. Over the years, this tool has become a part of the arsenal of several Chinese-related threat actors such as Tick, Tonto Team and TA428, all of which employ RoyalRoad regularly. PortDoor is delivered through spear-phishing attacks against high value targets.
Through Cybereason’s investigation, it was determined the target of the attack was a general director working at the Rubin Design Bureau, a Russian-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy.
“RoyalRoad has been one of the most used tools by Chinese threat actors in recent years. It is mostly used in spear-phishing campaigns to lure victims into opening malicious documents. As the threat actors made changes to the RoyalRoad weaponizer, it is an indication they are trying to avoid ‘low hanging fruit’ detections to steal sensitive information from Russian defense contractors,” said Assaf Dahan, Senior Director, Head of Threat Research, Cybereason.
PortDoor Key Findings
- RoyalRoad Variants are Under Development: The variant of the RoyalRoad weaponizer examined altered its encoded payload from the known “8.t” file to a new filename: “e.o”. More new variants are likely to be under development as well.
- Previously Undocumented Backdoor: The newly discovered RoyalRoad RTF variant examined also drops a previously undocumented and stealthy backdoor dubbed PortDoor which is designed with obfuscation and persistence in mind.
- Highly Targeted Attack: The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian defense sector designing submarines for the Russian Federation’s Navy.
- Extensive Malware Capabilities: Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
- APT Group Operating on Behalf of Chinese State Interests: The accumulated evidence such as the infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests.