An Overhead View of the Royal Road

2020-01-29

Abstract

Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China.

In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc.

There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance.

Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures.

Summary

Royal Road

Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors.

We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions:

1. Exploit the vulnerability in the Equation Editor
2. Have an object named 8.t in the RTF

Royal Road behaves as follows.

1. RTF create a file (8.t) using ActiveX Control “Package” when opening a document

2. All Vulnerabilities used by exploit coed are based on Equation Editor.
   • CVE-2017-11882
   • CVE-2018-0798
   • CVE-2018-0802
3. It decode 8.t, execute malware, dll-sideloading, etc

Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction.

About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad.

New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly.

For attribution

• Time
  • submission to public service
  • RTF creation
• Target country
  • decoy file language
• RTF characteristics
  • Object strings
  • Object patterns
  • Package patterns
  • Object name, Path
• Payload encoding patterns
• Dropped file name
• Malware execution techniques
  • T1137 (Office Application Startup)
  • T1073 (DLL Side-Loading)
• Final payload (malware family)

Actors

Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected.

These are tables summarizing each actor’s characteristics. We categorize these actors into three groups.

Group

• Group-A is Conimes, Periscope and Rancor.
• Group-B is Trident, Tick, TA428 and Tonto.
• Group-C is something else we don’t know.

Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights.

Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights.

Wrap-up

The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors.

Appendix

Appendix-1: IOC

• https://nao-sec.org/jsac2020_ioc.html

Appendix-2: Tool

• rr_decoder
• Yara Rules

---

Full report is here: [PDF (EN)]