Full Report
Abstract Several targeted attack groups share the tools used in the attack and are reported to be doing similar attacks. Attack tools are also shared in attacks targeting Japanese organizations, for example, Tick. Tick may use a tool called Royal Road RTF Weaponizer. And Royal Road is used by targeted attack groups such as Goblin Panda and Temp.Trident that is suspected of being involved in China. In this blog, we will focus on the Royal Road, and introduce the features of the tool, such as the outline of the tool, its behavior, and the exploited vulnerability. Next, the targeted attack groups that use the Royal Road are listed, and each attack case is shown in detail. We have collected over 100 malicious documents from 2018 and investigated malware that is deployed and downloaded from there. Even in groups using the same Royal Road, we attributed them based on the target country/organization, the technique used for the attack, the malware executed, etc. There are a wide variety of countries/organizations targeted for attack, mainly in Asia. Such information has been published by researchers all over the world, but it’s not widely known that Royal Road is used in Tick attacks targeting Japanese organizations. Attacks using Royal Road are still active in 2019. Share analysis results of malicious documents and malware based on the cases we observed. Other targeted attack groups may be related to Royal Road. We introduce the attack cases of these attack groups and show their relevance. Finally, we show the hunting technique using the characteristics of RTF files using Royal Road and the techniques that are preferred by targeted attack groups that use them. This blog will help researchers who are researching and analyzing targeted attacks and CSIRT/SOC members to understand the attacks and take countermeasures. Summary Royal Road Royal Road is RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder”. This tool is not OSS, However it’s shared between multiple actors. We define the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions: Exploit the vulnerability in the Equation Editor Have an object named 8.t in the RTF Royal Road behaves as follows. RTF create a file (8.t) using ActiveX Control “Package” when opening a document All Vulnerabilities used by exploit coed are based on Equation Editor. CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 It decode 8.t, execute malware, dll-sideloading, etc Classification v1-v5 defined by Proofpoint and Anomali published at VB2019. We are doing more research about RTF Object. RTF analysis showed that there was a special byte sequence immediately before the shellcode. We called that an object pattern. 8.t encoding is not distinguished by version. It’s considered an actor distinction rather than a tool distinction. About v3, RTF including 8.t could not be found in our survey, so we define this as RoyalRoad-related, not RoyalRoad. New version definitions for v6 and later. The object string has changed a little since v5, but it is basically the same. v7 has a very different object string. v7 object pattern is same as v4-v6, but part ofobject data exists randomly. For attribution Time submission to public service RTF creation Target country decoy file language RTF characteristics Object strings Object patterns Package patterns Object name, Path Payload encoding patterns Dropped file name Malware execution techniques T1137 (Office Application Startup) T1073 (DLL Side-Loading) Final payload (malware family) Actors Here are the actors that have been confirmed to use RoyalRoad. It is considered that China’s involvement is suspected. These are tables summarizing each actor’s characteristics. We categorize these actors into three groups. Group Group-A is Conimes, Periscope and Rancor. Group-B is Trident, Tick, TA428 and Tonto. Group-C is something else we don’t know. Group-A is targeting Southeast Asia. Periscope and Conimes ware active at the same time and share the same techniques. Conimes and Rancor ware also active at the same time and share some techniques. We believe these groups are close and may share tools and insights. Group-B is including Trident, Tick, TA428 and Tonto. These are actors targeting East Asia, especially Russia, Korea and Japan. Tick, TA428 and Tonto may use the same technique. Especially Tick and Tonto are very similar. We believe that Group-B actors are very close and share techniques and insights. Wrap-up The RTF file created using the Royal Road exploits a vulnerability in the equation editor. The RTF file has a various of characteristics that help with attribution. There are many actors who use Royal Road. We can divide them into three groups and suppose connections between actors. Appendix Appendix-1: IOC https://nao-sec.org/jsac2020_ioc.html Appendix-2: Tool rr_decoder Yara Rules Full report is here: [PDF (EN)]
Analysis Summary
# Tool/Technique: Royal Road RTF Weaponizer
## Overview
Royal Road (also known as "8.t RTF exploit builder") is a non-open-source tool used by several targeted attack groups to create malicious Rich Text Format (RTF) documents. These documents are weaponized to exploit vulnerabilities, primarily in the Microsoft Equation Editor, to execute a payload (malware or DLL sideloading). The names and characteristics of the generated RTF files can help in attributing the attack to a specific threat actor group.
## Technical Details
- Type: Tool (RTF Weaponizer)
- Platform: Primarily Microsoft Windows (due to exploitation of Windows components like Equation Editor).
- Capabilities: Generates malicious RTF files that exploit Equation Editor vulnerabilities, create a specific internal object named '8.t', decode this object, and execute subsequent stages like malware execution or DLL sideloading.
- First Seen: The analysis references activity spanning from 2018 through 2019.
## MITRE ATT&CK Mapping
Based on described functionality:
- T1204 - User Execution
- T1204.002 - Malicious File
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1059 - Command and Scripting Interpreter (Implied by execution of decoded content)
- T1055 - Process Injection
- T1055.012 - DLL Side-Loading (Mentioned)
- T1137 - Office Application Startup (Mentioned as a potential technique used by actors)
## Functionality
### Core Capabilities
- **RTF Exploit Generation:** Creates RTF files that specifically target vulnerabilities in the Equation Editor.
- **Vulnerability Exploitation:** Utilizes exploits for CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.
- **Object Creation:** Creates a file object named `8.t` inside the RTF document using the ActiveX Control "Package".
- **Payload Delivery:** Decodes the `8.t` object to execute subsequent malicious code or stage malware.
### Advanced Features
- **Actor Distinction:** Variations in the RTF object strings and patterns (like v7 having a different object string) are used by analysts to distinguish between different actors using the tool.
- **DLL Sideloading:** Implements DLL sideloading as a component of the execution chain.
- **Attribution Characteristics:** The tool allows actors to incorporate characteristics (like decoy file language, payload encoding patterns) that aid in post-compromise attribution.
## Indicators of Compromise
The summary primarily describes tool characteristics rather than specific, universal IOCs. Specific IOCs would require referencing the appendix links, but general characteristics noted in the analysis include:
- **File Hashes:** Not provided in the summary text.
- **File Names:** Objects named `8.t` are characteristic.
- **Registry Keys:** Not provided in the summary text.
- **Network Indicators:** Not provided in the summary text (C2/domains would be associated with the final malware payload).
- **Behavioral Indicators:**
- RTF opening leading to the creation of an internal object (`8.t`).
- Exploitation attempts targeting the Equation Editor component.
- Execution chains involving DLL sideloading.
## Associated Threat Actors
The tool is shared among several targeted attack groups, categorized into three main groups:
- **Group-A:** Conimes, Periscope, and Rancor (Targeting Southeast Asia).
- **Group-B:** Trident (Temp.Trident), Tick, TA428, and Tonto (Targeting East Asia, including Russia, Korea, and Japan).
- **Group-C:** Unknown actors.
The article specifically highlights that **Tick** is known to use Royal Road in attacks targeting Japanese organizations.
## Detection Methods
Detection focuses on the structure and behavior specific to Royal Road generated files:
- **Signature-based detection:** Signatures targeting the object pattern preceding the shellcode, or the presence of the specific `8.t` object name within RTF files.
- **Behavioral detection:** Monitoring for RTF documents that attempt to leverage Equation Editor vulnerabilities or execute subsequent stages like DLL sideloading or suspicious file creation/decoding.
- **YARA rules:** The existence of published YARA rules suggests signature-based detection capabilities targeting Royal Road RTFs.
## Mitigation Strategies
- **Prevention measures:** Keeping all Office/Windows components patched, especially addressing known Equation Editor vulnerabilities (CVE-2017-11882, etc.).
- **Hardening recommendations:** Disabling or restricting macros/ActiveX controls in Office applications, especially for inbound or untrusted documents. Analyzing RTF files before opening them using sandboxing or static analysis tools focused on OLE/RTF structure.
## Related Tools/Techniques
- **rr_decoder:** A tool referenced in the appendix, likely used for analyzing and decoding the malicious content generated by Royal Road.
- **Equation Editor Exploits:** The core vulnerability exploited by this weaponizer.
- **Document Weaponization Techniques:** General techniques used to deliver payloads via malicious documents.