Security News > 2021 > April > PortDoor Espionage Malware Takes Aim at Russian Defense Sector

A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor to target the Russian defense sector, according to researchers.
The malware then creates an additional file in %temp% with the hardcoded name "58097616.tmp" and writes the GetTickCount value multiplied by a random number to it: "This can be used as an additional identifier for the target, and also as a placeholder for the previous presence of this malware," researchers explained.
"Both the Tonto Team and TA428 threat actors have been observed attacking Russian organizations in the past, and more specifically attacking research and defense-related targets," according to the analysis.
"When comparing the spear-phishing email and malicious documents in these attacks with previously examined phishing emails and lure documents used by the Tonto Team to attack Russian organizations, there are certain similarities in the linguistic and visual style used by the attackers in the phishing emails and documents."
That said, the PortDoor malware doesn't share significant code similarities with previously known malware used by those groups - leading Cybereason to conclude that it is not a variant of a known malware, which makes it useless in attribution efforts.
"Lastly, we are also aware that there could be other groups, known or yet unknown, that could be behind the attack and the development of the PortDoor backdoor," researchers concluded.
News URL
https://threatpost.com/portdoor-espionage-malware-takes-aim-at-russian-defense-sector/165770/
Related news
- Russians lure European diplomats into malware trap with wine-tasting invite (source)
- Chinese hackers target Russian govt with upgraded RAT malware (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- Russian army targeted by new Android malware hidden in mapping app (source)
- Disney Slack attack wasn't Russian protesters, just a Cali dude with malware (source)
- Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware (source)
- Google links new LostKeys data theft malware to Russian cyberspies (source)
- North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress (source)
- PureRAT Malware Spikes 4x in 2025, Deploying PureLogs to Target Russian Firms (source)
- Feds finger Russian 'behind Qakbot malware' that hit 700K computers (source)