Previously undocumented backdoor targets Microsoft’s Equation Editor

Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponizer that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defense contractor.

Spear-phishing attack targets Russian defense contractor

In this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy.

The email used to deliver the initial infection vector was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design center from the “Gidropribor” concern in St. Petersburg, a national research center that designs underwater weapons.

How the RoyalRoad variant works

The research team defined RoyalRoad as a tool that generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor including CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. Microsoft’s Equation Editor was included in earlier versions of Word but was removed from all versions in the January 2018 Public Update because of security issues with its implementation.

The RoyalRoad weaponizer is also known as the 8.t Dropper/RTF exploit builder. The variant analyzed had altered its encoded payload from the known “8.t” file to a new filename: “e.o”. Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder, a technique used to bypass detection of automatic execution persistence. The RTF is time-stamped to 2007, another technique used to go undetected.

This new variant drops the previously undocumented backdoor dubbed PortDoor, malware with multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, according to Cybereason Nocturnus. The researchers expect more new variants to be under development.

The researchers did not have enough information to attribute this backdoor, but they said: “there are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed in this blog.” Specifically, it contained a header encoding previously used by the Tonto Team, TA428 and Rancor threat actors.