Analyzing the Royal Road to Space Pirates

Analyzing the Royal Road to Space Pirates

26 May 2022

While the actual blog post has been difficult to access for some, Positive Technologies released research on the Space Pirates APT group that has been spotted intruding on government, IT, and critical infrastructure networks in Russia, Georgia, and Mongolia.

Believed to be operating since at least 2019, the Space Pirates group has been able to sustain access to victim networks for a considerable amount of time, in some cases over a year.

While the group utilized a myriad of different malware tools to gain and maintain access, this post will focus on an RTF file utilizing the Royal Road builder.

Royal Road?

There are far too many detailed articles to bore you about the ins and outs of the Royal Road builder, so I will provide a quick overview while linking to people smarter than I for additional information.

Maybe better described as a weaponizer than a builder, Royal Road named by Anomali, has been utilized in a number of targeted attacks believed to be tied to Chinese threat actor groups since around 2017.

The builder or weaponizer allows a threat actor to handcraft a weaponized RTF file to exploit Microsoft’s Equation editor, picking on either CVE-2017-11882 or CVE-2018-0802.

A few tell-tale signs of Royal Road documents are the “8.t” dropper, as well as a number of object dimension strings used to track versions of the malicious builder.

The Document

MD5: 1690766e844034b3c2ab4f853bd59df7
SHA1: 8993d0d5ec2f898eb8d1b8785cc5bb3275b43571
SHA256: 7079d8c92cc668f903f3a60ec04dbb2508f23840ef3c57efffb9f906d3bc05ff

The above document represents a lure believed to be utilized by the Space Pirates APT, taken from a Wikipedia page for former Seoul mayor, Park Won-soon.

[1] Anomali highlighted the same lure document in a 2019 blog post but did not provide any specifics or capabilities of the malware.

Utilizing the OLETools Framework to extract information on the lure document, it quickly becomes apparent this is indeed an 8.t weaponizer.

As can be seen in the rtfobj tool output above, the document drops “8.t” to the %TEMP% directory. In reality, the 8.t file is an XOR encrypted dropper that drops the file “secinit.exe” to the AppData\Local directory.

Extracting the above object and using nao_sec’s rr_decode, we can obtain the secondary file without opening the document.

If you haven’t read nao_sec’s [2] “An Overhead View of the Royal Road” article, I would highly recommend you read it now!

The above identified encoding as well as taking a look at the object strings (objw2180 objh300 objdata 554567…), confirms the Space Pirates group may have used v4 of Royal Road in their campaign.

Now that we have extracted a secondary payload, we can get an idea of its capabilities using Mandiant’s CAPA tool.

Tactics/Persistence

From the Positive Technoligies blog post, we know that the secinit.exe file maintains persistence through HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN, using the GetUserConfig key.

Additionally, once secinit.exe is run, it will start to reach out to its command and control infrastructure, loge.otzo[.]com and download two additional files to the victim system.

Infrastructure

A dynamic DNS provider, offering Virtual Private Servers (VPS), according to Passive DNS data, loge.otzo[.]com was first seen in May of 2019 using ChangeiP for hosting.

It is important to mention that the aforementioned Anomali blog identified the subdomain as a network IOC in their initial post.

Strings

\objw2180\objh300{\objdata 554567{*\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000

INFO11.OCX
INFOP11.EXE

Conclusion

Although this was a much older file that has decent detections on VirusTotal, other than the Positive Technologies post, not much has been written on this particular document.

Hopefully something you read in this post was of use for future malware analysis investigations.

Thank you for reading!

Further Reading

[1] https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018

[2] https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

One response to “Analyzing the Royal Road to Space Pirates”

%d bloggers like this: