U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

China-linked APT uses a new backdoor in attacks at Russian defense contractor

A China-linked cyberespionage group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy. Cybereason researchers reported that a China-linked APT group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy. The state-sponsored hackers sent spear-phishing messages to a general director working at the Rubin Design […]

Pierluigi Paganini, SecurityAffairs, hacking, malware, security news, hacking news, cybersecurity, cyber security news, information security, information security news

A China-linked cyberespionage group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

Cybereason researchers reported that a China-linked APT group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy.

The state-sponsored hackers sent spear-phishing messages to a general director working at the Rubin Design Bureau, in Saint Petersburg, which is one of three main Russian centers of submarine design. Rubin is the largest among the three Soviet/Russian submarine designer centers, having designed more than two-thirds of all nuclear submarines in the Russian Navy.

The spear-phishing messages used a malicious Rich Text File (RTF) document that included descriptions of an autonomous underwater vehicle.

The RTF documents were uncovered by Cybereason Nocturnus Team while investigating recent developments in the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. This tool was widely adopted by several China-linked threat actors, including TickTonto Team and TA428.

The weaponized RTF documents generated with the exploit builder are able to trigger the CVE-2017-11882CVE-2018-0798CVE-2018-0802 vulnerabilities in Microsoft’s Equation Editor.

The documents were used to deliver a previously undocumented backdoor, tracked as PortDoor.

“The newly discovered RoyalRoad RTF variant examined also drops a previously undocumented and stealthy backdoor dubbed PortDoor which is designed with obfuscation and persistence in mind.” reads the analysis published by Cybereason. “The threat actor is specifically targeting the Rubin Design Bureau, a part of the Russian defense sector designing submarines for the Russian Federation’s Navy.”

The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration

The attribution of the cyber espionage campaign is based on similarities with TTPs associated with some Chinese APT groups.

Starting from an investigation conducted by nao_sec, Cybereason experts were able to determine that the RTF file employed in the attack against the Russian defense contractor was weaponized with RoyalRoad v7, which bears the indicative “b0747746” header encoding and was previously employed in attacks conducted by the Tonto Team, TA428 and Rancor threat actors,

Both Tonto Team and TA428 have been linked to attacks targeting Russian research and defense organizations.

“When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents.” continues the report. “The newly discovered backdoor does not seem to share significant code similarities with previously known malware used by the abovementioned groups, other than anecdotal similarities that are quite common to backdoors, leading us to the conclusion that it is not a variant of a known malware, but is in fact novel malware that was developed recently.”

The report published by the experts also includes MITRE ATT&CK Matrix, researchers could contact the security firm for IoCs.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Russian defense contractor)

[adrotate banner=”5″]

[adrotate banner=”13″]