RoyalRoad backdoor delivered via spear phishing was identified in an attack on a Russian-based defense contractor. Credit: Baku Retsu / KrulUA / Getty Images Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponizer that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defense contractor.Spear-phishing attack targets Russian defense contractorIn this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy.The email used to deliver the initial infection vector was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg, a national research center that designs underwater weapons. How the RoyalRoad variant worksThe research team defined RoyalRoad as a tool that generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor including CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. Microsoft’s Equation Editor was included in earlier versions of Word but was removed from all versions in the January 2018 Public Update because of security issues with its implementation. The RoyalRoad weaponizer is also known as the 8.t Dropper/RTF exploit builder. The variant analyzed had altered its encoded payload from the known “8.t” file to a new filename: “e.o”. Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder, a technique used to bypass detection of automatic execution persistence. The RTF is time-stamped to 2007, another technique used to go undetected.This new variant drops the previously undocumented backdoor dubbed PortDoor, malware with multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, according to Cybereason Nocturnus. The researchers expect more new variants to be under development. The researchers did not have enough information to attribute this backdoor, but they said: “there are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed in this blog.” Specifically, it contained a header encoding previously used by the Tonto Team, TA428 and Rancor threat actors. Related content news Change Healthcare went without cyber insurance before debilitating ransomware attack In doing so, Change exposed itself not just to greater financial risk, but reputational damage too. By John Leyden May 07, 2024 5 mins Data Breach Ransomware news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe