New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer

Nuclear Submarine Designer

A threat actor believed to be working on behalf of Chinese state-sponsored interests was recently observed targeting a Russia-based defense contractor involved in designing nuclear submarines for the naval arm of the Russian Armed Forces.

The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor,” according to Cybereason’s Nocturnus threat intelligence team.

“Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers said in a write-up on Friday.

Rubin Design Bureau is a submarine design center located in Saint Petersburg, accounting for the design of over 85% of submarines in the Soviet and Russian Navy since its origins in 1901, including several generations of strategic missile cruiser submarines.

Content of the weaponized RTF document

Over the years, Royal Road has earned its place as a tool of choice among an array of Chinese threat actors such as Goblin Panda, Rancor Group, TA428, Tick, and Tonto Team. Known for exploiting multiple flaws in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802) as far back as late 2018, the attacks take the form of targeted spear-phishing campaigns that utilize malicious RTF documents to deliver custom malware to unsuspecting high-value targets.

This newly discovered attack is no different, with the adversary using a spear-phishing email addressed to the submarine design firm as an initial infection vector. While previous versions of Royal Road were found to drop encoded payloads by the name of “8.t,” the email comes embedded with a malware-laced document, which, when opened, delivers an encoded file called “e.o” to fetch the PortDoor implant, implying a new variant of the weaponizer in use.

Said to be engineered with obfuscation and persistence in mind, PortDoor runs the backdoor gamut with a wide range of features that allow it to profile the victim machine, escalate privileges, download and execute arbitrary payloads received from an attacker-controlled server, and export the results back to the server.

“The infection vector, social engineering style, use of RoyalRoad against similar targets, and other similarities between the newly discovered backdoor sample and other known Chinese APT malware all bear the hallmarks of a threat actor operating on behalf of Chinese state-sponsored interests,” the researchers said.

Download RR_DECODER

+————————————————-

This is only an educational purposes only I am not responsible for further activities

Join my forum and learn more ethical hacking and penetration testing

https://t.me/whiteHatHacks

Get me at

alex14324.blogspot.com

https://t.me/alex14324

https://github.com/alex14324

https://www.instagram.com/alex_14324

https://discord.gg/6NPtGxZ

——————————————————-+

2 Replies to “New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer”

  1. My name’s Eric and I just came across your website – pentesterclub.com – in the search results.

    Here’s what that means to me…

    Your SEO’s working.

    You’re getting eyeballs – mine at least.

    Your content’s pretty good, wouldn’t change a thing.

    BUT…

    Eyeballs don’t pay the bills.

    CUSTOMERS do.

    And studies show that 7 out of 10 visitors to a site like pentesterclub.com will drop by, take a gander, and then head for the hills without doing anything else.

    It’s like they never were even there.

    You can fix this.

    You can make it super-simple for them to raise their hand, say, “okay, let’s talk” without requiring them to even pull their cell phone from their pocket… thanks to Talk With Web Visitor.

    Talk With Web Visitor is a software widget that sits on your site, ready and waiting to capture any visitor’s Name, Email address and Phone Number. It lets you know immediately – so you can talk to that lead immediately… without delay… BEFORE they head for those hills.

    CLICK HERE http://talkwithcustomer.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works.

    Now it’s also true that when reaching out to hot leads, you MUST act fast – the difference between contacting someone within 5 minutes versus 30 minutes later is huge – like 100 times better!

    That’s what makes our new SMS Text With Lead feature so powerful… you’ve got their phone number, so now you can start a text message (SMS) conversation with them… so even if they don’t take you up on your offer right away, you continue to text them new offers, new content, and new reasons to do business with you.

    This could change everything for you and your business.

    CLICK HERE http://talkwithcustomer.com to learn more about everything Talk With Web Visitor can do and start turing eyeballs into money.

    Eric
    PS: Talk With Web Visitor offers a FREE 14 days trial – you could be converting up to 100x more leads immediately!
    It even includes International Long Distance Calling.
    Paying customers are out there waiting.
    Starting connecting today by CLICKING HERE http://talkwithcustomer.com to try Talk With Web Visitor now.

    If you’d like to unsubscribe click here http://talkwithcustomer.com/unsubscribe.aspx?d=pentesterclub.com

  2. Hi, Eric here with a quick thought about your website pentesterclub.com…

    I’m on the internet a lot and I look at a lot of business websites.

    Like yours, many of them have great content.

    But all too often, they come up short when it comes to engaging and connecting with anyone who visits.

    I get it – it’s hard. Studies show 7 out of 10 people who land on a site, abandon it in moments without leaving even a trace. You got the eyeball, but nothing else.

    Here’s a solution for you…

    Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. You’ll know immediately they’re interested and you can call them directly to talk with them literally while they’re still on the web looking at your site.

    CLICK HERE https://talkwithwebvisitors.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works.

    It could be huge for your business – and because you’ve got that phone number, with our new SMS Text With Lead feature, you can automatically start a text (SMS) conversation – immediately… and contacting someone in that 5 minute window is 100 times more powerful than reaching out 30 minutes or more later.

    Plus, with text messaging you can follow up later with new offers, content links, even just follow up notes to keep the conversation going.

    Everything I’ve just described is extremely simple to implement, cost-effective, and profitable.

    CLICK HERE https://talkwithwebvisitors.com to discover what Talk With Web Visitor can do for your business.

    You could be converting up to 100X more eyeballs into leads today!

    Eric
    PS: Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
    You have customers waiting to talk with you right now… don’t keep them waiting.
    CLICK HERE https://talkwithwebvisitors.com to try Talk With Web Visitor now.

    If you’d like to unsubscribe click here http://talkwithwebvisitors.com/unsubscribe.aspx?d=pentesterclub.com

Leave a Reply

Your email address will not be published. Required fields are marked *