background image
Blog DomainTools Research

An Undersea Royal Road: Exploring Malicious Documents and Associated Malware

Background

Since at least 2017, various threat actors, generally associated with or assessed to be located in the People’s Republic of China (PRC), utilized a malicious document builder referred to as Royal Road as part of phishing activity. Observed in conjunction with multiple, distinct threat actors, Royal Road provides a mechanism to embed malicious, encoded objects within Rich Text Format (RTF) files. Code execution and object delivery relies on exploiting one of several vulnerabilities in the Microsoft Equation Editor.

As documented by several researchers, multiple adversaries utilize Royal Road to target various industries for the delivery of diverse payload types in victim environments.

Multiple adversaries utilize Royal Road to target various industries for the delivery of diverse payload types in victim environments.

As of this writing, over seven distinct threat groups are assessed to use Royal Road documents for initial access operations, with incidents primarily targeting East and Southeast Asia as well as Russian entities. 

In April 2021, DomainTools researchers identified a malicious document matching Royal Road characteristics in a commercial malware database. Further research indicated initial discovery by researchers from Proofpoint. Aside from representing an evolution in Royal Road-related documents and post-exploitation behaviors, available information indicates interesting targeting emphasis for the identified campaign.

Email and Dropper Documents

Although DomainTools initially discovered the activity in question via a malicious document, review of various sources linked the document to an email as the delivery vector:

Review of various sources linked the document to an email as the delivery vector.

While technically nondescript—the message is just a brief note with the malicious RTF attached—other contextual details are quite interesting. Examining the actual content and addressing, the following observations emerge:

  • For timing and context purposes, the email was sent on 01 April 2021.
  • The message sender uses a mail.ru address, but attempts to spoof the legitimate Gridroprobor underwater technology and weapons research center associated with military research and development for the Russian Federation.
  • The message recipient is the general contact address for the Rubin Design Bureau, one of three submarine design bureaus supporting the Russian navy.
  • Although sent to a general contact address, the message is addressed to General Director “Igor Vladimirovich,” likely referring to Rubin’s current director Igor V. Vilnit.
  • The message subject and attachment name references Autonomous Underwater Vehicles (AUVs).
  • The email signature references the address and contact information for Gridroprobor in Saint Petersburg.

While all of these items could be identified via open source research and analysis, they  represent a level of specificity in theme and likely targeting for the message. Based on the available details, the entity responsible for constructing and sending this message went to some effort to mimic an existing relationship between state-directed organizations researching submarine and underwater weapons technologies on behalf of the Russian Federation. These themes carry over into the malicious RTF itself:

These themes carry over into the malicious RTF itself.

The document, “preliminary design results for the AUV,” is simple with a banner graphic and several perspectives of what appear to be an AUV design. The document has the following identifying characteristics:

MD5: 027f5ae272bbb6bbc3e1fdf230a4e3f6

SHA1: 57142832e5453cb0e2c3e6c1a3d7536131b3ed72

SHA256: 774a54300223b421854d2e90bcf75ae25df75ba9f3da1b9eb01138301cdd258f

Reviewing document metadata shows several interesting characteristics:

  • An original document creation timestamp of 25 May 2007, indicating either the use of deliberate manipulation of timestamps or refreshing an existing template for malicious use.
  • An “Author” value of “pc-1.”
  • A primary document character set of Simplified Chinese.

Further examination of the document (using the OLEtools framework) reveals embedded objects following the same patterns (although with slightly different naming conventions) as historical Royal Road activity:

Further examination of the document reveals embedded objects following the same patterns.

The first OLE object is a file containing obfuscated code, while the second contains the Microsoft Equation Editor exploit. When opened in a vulnerable version of Microsoft Word, the document will write the first OLE object to disk to the following location:

C:Users[Executing User]AppDataLocalTempe.o

Next, the Equation Editor will launch, decode the content of “e.o”, and write a Dynamic-Link Library (DLL) object in the form of a Microsoft Office add-in item to disk:

C:Users[Executing User]AppDataRoamingMicrosoftWordSTARTUPwinlog.wll

In addition to writing the above file, the “e.o” object is also removed as part of this process. At this point, behavior from the weaponized document ceases and no further, direct action takes place from exploitation.

Identifying Malware Execution and Persistence Mechanisms

The penultimate action described above, writing the “winlog.wll” DLL to the Word STARTUP location, represents the next stage of execution as well as persistence within the victim environment. As previously documented with respect to Royal Road, the use of WLL file types—typically associated with Microsoft Word add-in objects—ensures the execution of the malicious DLL every time Microsoft Word launches in the future.

In this specific case, winlog.wll is called via the following convention:

Rundll32.exe winlog.wll,DllEntry28 [Current System Time in Unix Timestamp Format]

When analyzed, the DLL (specifically the “DllEntry28” export) contains a number of system and analysis checks, preventing execution in monitored environments. However, further analysis of the file indicates that direct functionality can be triggered by calling export “DllEntry18” with no parameters. This combination of follow-on execution taking place the next time Word is opened combined with the checks present in the default DLL export called during startup provide a relatively simple, if effective, mechanism to evade sandbox and behavioral analysis. Overall execution flow aligns with the following:

Overall execution flow aligns with the following.

 

Malware Analysis and Infrastructure

The malicious DLL merits further investigation. The file appears compiled mere days before the phishing email was sent (27 March 2021), and has the following characteristics:

MD5: 70da6872b6b2da9ddc94d14b02302917

SHA1: b2da45913353bfc66d189455f9ad80ef26968143

SHA256: 2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c

While “DllExport18” and “DllExport28” are the only functional exports for the DLL, the DLL references a total of 34 exported functions (from “DllExport00” to “DllExport33”). Aside from the two already discussed, the remainder have no associated functionality, and potentially represent a diversion or another anti-analysis technique.

When executed via “DllExport18,” the malware sends a single beacon via TCP 443 to the following IP address:

45.63.27[.]162

Hosted in Australia and part of the Vultr or CHOOPA hosting service, a review of DomainTools Passive DNS (pDNS) data shows no active domain resolutions since November 2020.

Hosted in Australia and part of the Vultr or CHOOPA hosting service, a review of DomainTools Passive DNS (pDNS) data shows no active domain resolutions since November 2020.

Since late 2020, the IP address appears to be dormant until incorporation into this campaign in early 2021.

Examining the DLL further identifies potential additional functionality through plaintext strings. Specifically, there appear to be references for building HTTP headers, including items such as hard-coded User Agent strings, for additional communication:

CONNECT %s:%d HTTP/1.0

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362

Proxy-Connection: Keep-Alive

Content-Length: 0

HOST: %s

Pragma: no-cache

%s:%s

Based on analysis of the DLL, functionality appears to be determined by receiving a response to the initial beacon. The strings identified above indicate the DLL may then respond via HTTP CONNECT methods for subsequent Command and Control (C2) communication.

Additional Document Files

DomainTools researchers attempted to identify additional samples that might be indicative of a wider campaign with similar characteristics. While we were unable to identify any additional samples of the malicious DLL, further searching on document metadata identified two additional documents with identical functionality:

SHA256File NameFirst Observed
b60c9b59e03101277196bce597701eab5cfb0fd6b37442a5029673a11ffb9295Перспектива_A.rtf09 April 2021
aec6271de4436ddf0067e67c389cbddb82f73d749e4713f5c8b375ad0ee7da9cN/A05 April 2021

While the documents have the same ultimate functionality (including identical embedded OLE objects), the presentation of the documents themselves is somewhat different. One features just the diagram portion of the item originally analyzed in this report, while the other features a limited text snippet. 

Observation dates indicate visibility after the construction and delivery of the original RTF analyzed in this report (01 April 2021), this information only indicates when the items appeared in third-party datasets as opposed to their actual creation or construction. One possibility is that these less well-formed documents are testing or similar variants for the more refined item delivered in the phishing campaign. How they ended up in a commercial malware repository would be unknown, although we would also need to consider these documents being used in other, unidentified phishing campaigns as well. Irrespective of origin, these documents tentatively indicate a wider scope to this activity than a single phishing email attachment.

Conclusion

The identified activity represents an evolution of Royal Road malicious RTF functionality, including a new naming schema for embedded OLE objects and a DLL payload that appears noticeably different from previous objects delivered via this technique. From a defender’s perspective, this campaign leverages a number of items that can be identified, prevented, or potentially forbidden via policy: using updated Microsoft Office software to eliminate the vulnerability; tracking odd process execution chains such as rundll32.exe spawned from a Microsoft Office process; or identifying odd communication items such as a direct-to-IP HTTP CONNECT observations.

While defensive countermeasures to this campaign are within reach for many organizations, the targeting and possible intent behind this document are curious. Given the email delivery address, themes, and document contents, DomainTools concludes with high confidence that this campaign targets underwater research and weapon development organizations in the Russian Federation. Furthermore, the historical pattern of activity associated with Royal Road operations combined with the observed language set used in the primary document analyzed in this report would strongly suggest a relationship to at minimum Chinese language entities, if not the PRC itself. However, insufficient evidence exists given paucity of samples and minimal observed targeting and communication to make such a link at anything greater than low confidence.

Irrespective of attribution, the identified phishing instance shows the continued use and evolution of a malicious document framework widely deployed by many threat actors. Combined with the sensitive targeting and the attempts at hardening the ultimate payload, it appears the adversary went to some effort to evade analysis of their activity as well. Although this campaign appears specifically targeted to an entity in the Russian Federation, the underlying behaviors of this campaign—from malicious document usage through binary execution guardrails and controls—provide helpful insight into adversary tradecraft from which all defenders can learn valuable lessons.