Researchers at Cybereason say they have discovered an undocumented malware targeting the Russian military sector and bearing the hallmarks of originating in China if not being Chinese state sponsored.
The researchers had been tracking malicious RTFs generated by the RoyalRoad weaponizer (aka the 8.t Dropper/RTF exploit builder), which is known to be often used by Chinese state actors. One sample was found dropping previously unknown malware, that the Cybereason researchers have now called PortDoor.
According to the phishing lure associated with the malicious RTF, the target was a general director working at the Rubin Design Bureau. This is a Russia-based defense contractor that designs nuclear submarines for the Russian Navy.
Cybereason cannot yet attribute the attack, and the malware used, to any specific actor, but notes that the RTF “bears the indicative ‘b0747746’ header encoding and was previously observed being used by the Tonto Team (aka CactusPete), TA428 and Rancor threat actors.”
Both Tonto and TA428 have been seen attacking Russian research and defense-related targets. Furthermore, there are linguistic and visual similarities in the associated phishing emails between the PortDoor attack and earlier Tonto Team attacks against Russian organizations.
However, the researchers note that PortDoor “does not seem to share significant code similarities with previously known malware used by the abovementioned groups… it is not a variant of a known malware, but is in fact novel malware that was developed recently.” Nevertheless, Cybereason believes that PortDoor in this case is ope ..