New Chinese Malware Targeted Russia s Largest Nuclear Submarine Designer
A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.
The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous Royal Road Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed
PortDoor, according to Cybereason s Nocturnus threat intelligence team. Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, the researchers said in a write-up on Friday.
By Kevin Townsend on April 30, 2021
Researchers at Cybereason say they have discovered an undocumented malware targeting the Russian military sector and bearing the hallmarks of originating in China if not being Chinese state sponsored.
The researchers had been tracking malicious RTFs generated by the RoyalRoad weaponizer (aka the 8.t Dropper/RTF exploit builder), which is known to be often used by Chinese state actors. One sample was found dropping previously unknown malware, that the Cybereason researchers have now called PortDoor.
According to the phishing lure associated with the malicious RTF, the target was a general director working at the Rubin Design Bureau. This is a Russia-based defense contractor that designs nuclear submarines for the Russian Navy.
Baku Retsu / KrulUA / Getty Images
Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponizer that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defense contractor.
Spear-phishing attack targets Russian defense contractor
In this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy.
The email used to deliver the initial infection vector was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg, a national research center that designs underwater weapons.
The stealthy backdoor is likely being used by Chinese APTs, researchers said.
A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.
The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phishing email.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.
Serious vulnerabilities in Microsoft Exchange have been exploited by at least 10 APT groups that have been collectively been hitting thousands of companies over the