Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponizer that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defense contractor.Spear-phishing attack targets Russian defense contractorIn this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defense contractor that designs nuclear submarines for the Russian Federation\u2019s Navy.The email used to deliver the initial infection vector was addressed to the \u201crespectful general director Igor Vladimirovich\u201d at the Rubin Design Bureau, a submarine design center from the \u201cGidropribor\u201d concern in St. Petersburg, a national research center that designs underwater weapons.How the RoyalRoad variant worksThe research team defined RoyalRoad as a tool that generates weaponized RTF documents that exploit vulnerabilities in Microsoft\u2019s Equation Editor including CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. Microsoft\u2019s Equation Editor was included in earlier versions of Word but was removed from all versions in the January 2018 Public Update because of security issues with its implementation.The RoyalRoad weaponizer is also known as the 8.t Dropper\/RTF exploit builder. The variant analyzed had altered its encoded payload from the known \u201c8.t\u201d file to a new filename: \u201ce.o\u201d. Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word startup folder, a technique used to bypass detection of automatic execution persistence. The RTF is time-stamped to 2007, another technique used to go undetected.This new variant drops the previously undocumented backdoor dubbed PortDoor, malware with multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, according to Cybereason Nocturnus. The researchers expect more new variants to be under development.The researchers did not have enough information to attribute this backdoor, but they said: \u201cthere are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analyzed in this blog.\u201d Specifically, it contained a header encoding previously used by the Tonto Team, TA428 and Rancor threat actors.