“PortDoor” Malware
By Ilan Duhin
Published: 2023-07-20 · Archived: 2026-04-06 00:45:24 UTC
7 min read
Apr 5, 2023
Researched by: Ilan Duhin
Executive Summary:
“PortDoor” is a Chinese Backdoor that targeted ministry and public organizations such as ministry agencies, and
industrial plants in East Europe countries (Russia, Belarus and Ukraine). It spreads via spear-phishing emails that
contain malicious RTF file as an attachment. once executed, opened a Microsoft add-in file (.wll file) that is
actually a DLL file.
The dropped DLL has the capabilities of gathering reconnaissance and profiling of the victim’s machine,
communicating with the C2 server, and privilege escalation.
Behind “PortDoor” is the group dubbed “TA428” (which belongs to the Chinese government) according to the
TTPs we analyze on the DLL backdoor.
The DLL gains accessibility to the network via the Microsoft vulnerability called: Equation Editor (CVE-2017–
11882) which enables to execution of arbitrary code without any additional user activity.
To communicate, the malware establishes an HTTP connection on the victim’s endpoint, it uses the connection to
exfiltrate the victim’s information such as username, and network configuration.
This report contains in-depth research of the Backdoor and the RTF attachment, including an analysis of its
behavior.
Banker Attack Analysis:
The Backdoor’s attack steps were as follows:
1. “PortDoor” encrypts its own configuration with XOR key. The XOR loop appears as part of the file run.
2. After launching, the malware collects general information about the infected system via API calls, such as
computer names, IP addresses, and sends the information collected to the C2 server.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 1 of 17

3. After decrypting the configuration information, “PortDoor” check it is not running in a debugger (it uses the
IsDebuggerPresent call).
4. “PortDoor” establishes a connection with the C2 server via HTTP protocol. — 45.63.27[.]162
5. The data that is received/sent is encrypted, using the AES key.
Technical Analysis:
Headers of spear phishing: we can see who sends and which target mail.
· The sender was “Gidropribor[1]” — the research center of the Russian Federation.
· The receiver was Igor Vladimirovich[2], CEO of Marine Engineering “Rubin”.
Press enter or click to view image in full size
Press enter or click to view image in full size
Mail Headers
[1] https://gidropribor.ru/en/
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 2 of 17

[2] https://www.aoosk.ru/companies/oao-tsentralnoe-konstruktorskoe-byuro-morskoy-tekhniki-rubin/
Press enter or click to view image in full size
When opening the rtf file.
Press enter or click to view image in full size
From looking at HxD and searching the header we can see that this is an RTF File.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 3 of 17

The fact that this is an RTF file rather than a typical Word Doc should raise some red flags regarding the
attachment. RTF (Rich Text Format) allows other files to be embedded in the file itself and are often used by
attackers to embed malware.
Searching the hash in VT and see that the creation time of the RTF file was in 2007.
Too long time will indicate a technique that adversaries used to try goes under the radar of the security products
(especially when we see the long difference between the creation time and the last analysis section).
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 4 of 17

OLE Tools:
After extracting the file objects with rtfdump (The tool extracts file objects)
I started analyzing them deeply.
An object that seems suspicious is 290.
Press enter or click to view image in full size
When I input the argument “i” to gather more information it indicates that we have a reference to the embedded
file within this object. The magic number for this object is called: “d0cfile0”.
Press enter or click to view image in full size
The object that connect us to Equation Editor class name.
Press enter or click to view image in full size
From a quick look, we can see that the file contains the Equation class name. it is evidence that an Equation Editor
vulnerability will be exploit.
When I searched the Equation pattern in Google, I found that it connects to Royal Road malware or its
second name, weaponizer, that use the same technique in previous attacks of several Chinese threat actors
such TA428, the same APT that spread the “PortDoor”.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 5 of 17

Once the RTF document is executed, a .wll (word add-in file) is dropped to Microsoft startup folder.
This is largely done as an evasion technique as when a Word document is launched, an add-in file is loaded along
with it and security products recognize it as legitimate behavior.
Press enter or click to view image in full size
Press enter or click to view image in full size
after running the .doc, I checked the memory strings and see that the file below attached a DLL file. In other
words, our sample doing a backdoor to the DLL.
Press enter or click to view image in full size
Attach success:
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 6 of 17

Get Ilan Duhin’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
In other words, the file probably was exist when we run the RTF file earlier (our backdoor). The strings just verify
the information.
When dropping the .wll file into IDA, it describe it as a DLL file.
Press enter or click to view image in full size
Press enter or click to view image in full size
The DLL has 33 export functions.
functions 18 and 28 are the ones that “PortDoor” used to make his activities. The rest of them enters to sleep loop
as part of the anti-analysis technique.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 7 of 17

when investigating the two missing functions, they contains xor loop if one of them will called.
Press enter or click to view image in full size
Trying to achieve privilege escalation by applying the Access Token Theft Technique[1] to steal explorer.exe
tokens and run under a privileged security context.
[1] https://attack.mitre.org/techniques/T1134/
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 8 of 17

https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 9 of 17

Another suspicious API call is IsDebuggerPresent. here, the malware is used to realize if it is located under
debug mode. if not it decodes the pointer that points to the victim’s process that is encrypted with the XOR key.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 10 of 17

https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 11 of 17

In addition, I find two suspicious strings that describe HTTP connection via proxy server to a specific host.
the backdoor appears to be distinguishing between two HTTP response types ‘200’ response and ‘407’.
Press enter or click to view image in full size
Press enter or click to view image in full size
The full code from IDA:
Press enter or click to view image in full size
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 12 of 17

One of the suspicious IP addresses that I saw is: 45.63.27[.]162[1][2]
This IP address is the only one that shows up in the source and in the destination.
From searching the IP address in attack reports, it seems that it uses “PortDoor” C2.
[1] https://kcm.trellix.com/corporate/index?page=content&id=KB94757&locale=en_US
[2] https://vuldb.com/?actor.portdoor
Press enter or click to view image in full size
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 13 of 17

After the malware establish a connection with the C2 server, the data that received/sent is encrypted using AES
key.
Press enter or click to view image in full size
AES encrypted information.
Press enter or click to view image in full size
Backdoor commands (Symbols tab). It reinforces the fact that there is C2 server.
Press enter or click to view image in full size
The malware checks if the current user is a member of the Administrator’s group. If yes, use Netapi32.dll
(querying and managing network interfaces) library to get information about the user.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 14 of 17

Press enter or click to view image in full size
“PortDoor,” writes the GetTickCount value (to see how long the hostname is awake since started).
Press enter or click to view image in full size
The decryption of string by the backdoor. the register of “mov” and “add” to the “eax” register, then it repeats it
with the “ecx” register and “mov” all the parameters to him.
Press enter or click to view image in full size
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 15 of 17

To verify if it is the backdoor activity, we checked in the Memory map to see the permissions. Can see clearly that
it the Executable code of our backdoor.
Press enter or click to view image in full size
Check what cause to debugger send us an “Exception” message when we try to run until the BP on xor loop. As
you can see the xor loop is located between two IsDebuggerPresent functions that check if the malware in the
debugger or not.
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 16 of 17

The malware uses the Anti-Debugging technique before it runs the xor loop.
Reference: https://www.cybereason.com/blog/research/portdoor-new-chinese-apt-backdoor-attack-targets-russian-defense-sector
Indicators of compromise:
Email- Phishing:
48a312bfbcd1674501a633fbdcaa99a487e6260414a6e450a19982578b128a52
RTF:
774a54300223b421854d2e90bcf75ae25df75ba9f3da1b9eb01138301cdd258f
DLL:
2d705f0b76f24a18e08163db2f187140ee9f03e43697a9ea0d840c829692d43c
Source: https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba
Page 17 of 17

  https://medium.com/@Ilandu/portdoor-malware-afc9d0796cba    
Another suspicious API call is IsDebuggerPresent. here, the malware is used to realize if it is located under
debug mode. if not it decodes the pointer that points to the victim’s process that is encrypted with the XOR key.
   Page 10 of 17