An Attacker Group that was working for the Chinese State-Sponsored interests was captured while targeting the Russia-based defense contractor which is involved in creating and manipulating the nuclear submarines associated with the naval arm of the Russian Armed Forces.

However, these phishing attacks are executed and targeted the general direction that was working at Rubin Design Bureau and penetrate the famous Royal Road Rich Text Format tool that furnished the undocumented Windows backdoor named as PortDoor.

What is PortDoor?

This Portdoor has various functions and having the ability to reconnaissance the target and profiling the delivery of other additional payloads that privilege the escalation process and manipulate the static detection and overlaps the antivirus by using XOR encryption feature and other AES-encrypted data exfiltration.

Whereas, the Rubin Design Bureau is responsible for designing the submarine situated at Saint Petersburg that designed 85% of submarines linked with the Russian Navy from 1901 and also includes multiple strategic missile cruiser submarines.

The Royal Road also gets its selected tools from the array of Chinese attackers that deals with Goblin Panda, TA428, Tick and Tonto, Rancor Group Team. These known exploitable attackers penetrate the flaws present in Microsoft Equation Editor, identified as CVE-2017-11882 and CVE-2018-0798 and as CVE-2018-0802. The attackers also manipulated the spear-phishing campaigns that access and malicious RTF documents while furnishing custom malware that suspects the high-value targets.

Meanwhile, these identified attacks are the same as others, and they also access the spear-phishing emails that addressed the submarine design and another initial infection vector. These emails are also embedded with the malware-laced document which is opened and drops the encoded files named as e.o that fetch the PortDoor implant.

Since the encoded payload dropped the previous versions of Royal Road that typically named as 8.t which implying the new variant of weaponizing.

Summering Up

According to the experts these attacks are well-engineered with persistence and obfuscations, the PortDoor exected the backdoor gamut and having a wide range of capabilities that permits the attacker to access the profile of the victim machine and it also escalates the privileges, download and runs the arbitrary files that were received from the controlled server and export the outcomes to the attacker.

The researcher also said that these attacks are using the social engineering style and using the RoyalRoad that is similar to the targets and the other similarities are also discovered from the backdoor sample and other known Chinese APT malware groups that consist the hallmarks of attackers.