China-linked APT group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

The state-sponsored hackers sent spear-phishing messages to a general director working at the Rubin Design Bureau, in Saint Petersburg, which is one of three main Russian centers of submarine design.

The spear-phishing messages used a malicious Rich Text File (RTF) document that included descriptions of an autonomous underwater vehicle.

The RTF documents known as the 8.t Dropper/RTF exploit builder. This tool was widely adopted by several China-linked threat actors, including Tick, Tonto Team and TA428.

The weaponized RTF documents generated with the exploit builder are able to trigger the CVE-2017-11882, CVE-2018-0798, CVE-2018-0802 vulnerabilities in Microsoft’s Equation Editor. The documents were used to deliver a previously undocumented backdoor, tracked as PortDoor.

The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration

The attribution of the cyber espionage campaign is based on similarities with TTPs associated with some Chinese APT groups.

Starting from an investigation conducted by nao_sec, Cybereason experts were able to determine that the RTF file employed in the attack against the Russian defense contractor was weaponized with RoyalRoad v7, which bears the indicative “b0747746” header encoding and was previously employed in attacks conducted by the Tonto Team, TA428 and Rancor threat actors,

The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently.