TA428 Backdoors Government and Defense Orgs Using PortDoor

Attack and the targets

• The attackers compromised the networks of dozens of targets. In some cases, they took control of the victim’s entire IT infrastructure by hijacking systems used for managing security solutions.
• They used Windows-based malware known as PortDoor.
• The attack targeted industrial plants, design bureaus, research institutes, government agencies, ministries, and departments in Ukraine, Belarus, Russia, and Afghanistan.

PortDoor deployment

• The attacker used spear phishing emails laden with confidential details regarding targeted organizations and abused the CVE-2017-11882 flaw to deploy PortDoor.
• Same as the other malware families used in this campaign, the new PortDoor backdoor allows the attackers to gather and steal system details and files from the infected systems.
• Additionally, the threat group had installed more malware in the past (nccTrojan, Logtu, Cotx, and DNSep), along with a never seen threat named CotSam.
• To spread CotSam, the attackers added a flawed version of Word together with the payload. For example, Microsoft Word 2007 on 32-bit systems and Word 2010 on 64-bit systems.

The stealing

• After moving laterally inside networks using tools such as Ladon hacking utility (mostly used by Chinese threat actors), the attackers gained domain privileges and collected confidential files.
• The information is sent to C2 servers located in different countries in encrypted and ZIP archives. However, all stolen data is forwarded by C2 servers to a second-stage server with a Chinese IP address.

Conclusion