SELL FASTER BUY SMARTER SEARCH SHOP ADVERTS


SCROll DOWN TO SEE FORM TO POST ..SCROll DOWN TO SEE FORM TO POST
++MAP OR ENTER BELOW

THN

New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer

Nuclear Submarine DesignerNuclear Submarine Designer

A threat actor believed to be working on behalf of Chinese
state-sponsored interests was recently observed targeting a
Russia-based defense contractor involved in designing nuclear
submarines for the naval arm of the Russian Armed Forces.

The phishing attack, which singled out a general director
working at the Rubin Design Bureau, leveraged the infamous “Royal
Road” Rich Text Format (RTF) weaponizer to deliver a previously
undocumented Windows backdoor dubbed “PortDoor,” according
to Cybereason’s Nocturnus threat intelligence team.

“Portdoor has multiple functionalities, including the ability to
do reconnaissance, target profiling, delivery of additional
payloads, privilege escalation, process manipulation static
detection antivirus evasion, one-byte XOR encryption, AES-encrypted
data exfiltration and more,” the researchers said[1]
in a write-up on Friday.

password auditor

Rubin Design Bureau is a submarine design center located in
Saint Petersburg, accounting for the design of over 85% of
submarines[2] in the Soviet and
Russian Navy since its origins in 1901, including several
generations of strategic missile cruiser submarines.

Nuclear Submarine DesignerNuclear Submarine Designer
Content of the weaponized RTF document

Over the years, Royal Road has earned its place as a tool of choice[3]
among an array of Chinese threat actors such as Goblin Panda,
Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting
multiple flaws in Microsoft’s Equation Editor[4]
(CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as
late 2018, the attacks take the form of targeted spear-phishing
campaigns that utilize malicious RTF documents to deliver custom
malware to unsuspecting high-value targets.

This newly discovered attack is no different, with the adversary
using a spear-phishing email addressed to the submarine design firm
as an initial infection vector. This email comes embedded with a
malware-laced document, which, when opened, drops an encoded file
called “e.o” to fetch the PortDoor implant. The encoded payload
dropped by previous versions of Royal Road typically go by the name
of “8.t,” implying a new variant of the weaponizer in use.

Said to be engineered with obfuscation and persistence in mind,
PortDoor runs the backdoor gamut with a wide range of features that
allow it to profile the victim machine, escalate privileges,
download, and execute arbitrary payloads received from an
attacker-controlled server, and export the results back to the
server.

“The infection vector, social engineering style, use of
RoyalRoad against similar targets, and other similarities between
the newly discovered backdoor sample and other known Chinese APT
malware all bear the hallmarks of a threat actor operating on
behalf of Chinese state-sponsored interests,” the researchers
said.

References

  1. ^
    said
    (www.cybereason.com)
  2. ^
    85% of
    submarines     (ckb-rubin.ru)
  3. ^
    tool of
    choice     (nao-sec.org)
  4. ^
    Equation
    Editor     (www.anomali.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

Post Views: 824
[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App

Add a new location

Edit Location

Add up to 5 images to create a gallery for this location.

×