A Quiet #Espionage Malware
The RoyalRoad tool was seen fetching the unique PortDoor sample once the malicious RTF document is opened, which researchers said was designed with stealth in mind. It has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation, static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more.
Once executed, the backdoor decrypts the strings using a hardcoded 0xfe XOR key in order to retrieve its configuration information. This includes the command-and-control (C2) server address, a victim identifier and some other minor information.
The malware then creates an additional file in %temp% with the hardcoded name “58097616.tmp” and writes the Get Tick Count value multiplied by a random number to it: “This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware,” researchers explained.
After that, it establishes its C2 connection, which facilitates the transfer of data using TCP over raw sockets, or via HTTPS – with proxy support. At this point, Cybereason said that PortDoor also has the ability to achieve privilege escalation by stealing explorer.exe tokens.
Then, the malware gathers basic PC info to be sent to the C2, which it bundles with a unique identifier, after which is awaits further instructions.
The C2 commands are myriad:
List running processes
Open process
Get free space in logical drives
Files enumeration
Delete file
Move file
Create process with a hidden window
Open file for simultaneous operations
Write to file
Close handle
Open file and write directly to disk
Look for the “Kr*^j4” string
Create pipe, copy data from it and AES encrypt
Write data to file, append with “\n”
Write data to file, append with “exit\n”
PortDoor also employs an anti-analysis technique known as dynamic API resolving, according to the analysis.
“The backdoor is able to hide most of its main functionality and avoid static detection of suspicious API calls by dynamically resolving its API calls instead of using static imports,” researchers explained.