Menu
Previously undocumented backdoor targets Microsoft’s Equation Editor

Previously undocumented backdoor targets Microsoft’s Equation Editor

RoyalRoad backdoor delivered via spear phishing was identified in an attack on a Russian-based defence contractor.

Credit: Dreamstime

Researchers from Cybereason Nocturnus Team have detected anomalous characteristics in a newly discovered RoyalRoad weaponiser that delivers a previously undocumented backdoor. The researchers have been tracking recent developments in the RoyalRoad when they uncovered an attack targeting a Russian-based defence contractor.

Spear-phishing attack targets Russian defence contractor

In this instance, the target of the spear-phishing attack was a general director working at the Rubin Design Bureau, a Russia-based defence contractor that designs nuclear submarines for the Russian Federation’s Navy.

The email used to deliver the initial infection vector was addressed to the “respectful general director Igor Vladimirovich” at the Rubin Design Bureau, a submarine design centre from the “Gidropribor” concern in St. Petersburg, a national research centre that designs underwater weapons.

How the RoyalRoad variant works

The research team defined RoyalRoad as a tool that generates weaponised RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor including CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802. Microsoft’s Equation Editor was included in earlier versions of Word but was removed from all versions in the January 2018 Public Update because of security issues with its implementation.

The RoyalRoad weaponiser is also known as the 8.t Dropper/RTF exploit builder. The variant analysed had altered its encoded payload from the known “8.t” file to a new filename: “e.o”.

Once the RTF document is opened and executed, a Microsoft Word add-in file is dropped to the Microsoft Word start-up folder, a technique used to bypass detection of automatic execution persistence. The RTF is time-stamped to 2007, another technique used to go undetected.

This new variant drops the previously undocumented backdoor dubbed PortDoor, malware with multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more, according to Cybereason Nocturnus. The researchers expect more new variants to be under development.

The researchers did not have enough information to attribute this backdoor, but they said: “there are a couple of known Chinese APT groups that share quite a few similarities with the threat actor behind the new malware samples analysed in this blog.” Specifically, it contained a header encoding previously used by the Tonto Team, TA428 and Rancor threat actors.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftsecurity

Events

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments