Home Malware Programs Malware RoyalRoad

RoyalRoad

Posted: March 23, 2020

RoyalRoad is a hacking tool that generates threatening RTF documents with embedded exploits. Threat actors are utilizing it for delivering backdoor Trojans and similarly-invasive threats for reconnaissance purposes. Users can protect themselves with the usual safe browsing practices and having anti-malware solutions capable of removing RoyalRoad's RTF files on sight.

A Road Paved with Misappropriated Computer Access

While the weaknesses in software that it uses are years old, RoyalRoad or the 8.t RTF exploit builder, is proving its worth in hacking reconnaissance campaigns in 2020 continuously. This document-generating toolkit is a Black Hat program that provides a variety of China-based threat actors with their preferred Trojan-delivering methods. Since it's not open-source (OSS), it's speculated that there are ties between the relevant groups – which researchers in the cyber-security industry can further support with more evidence of their shared characteristics.

Hacking entities using RoyalRoad include the Vicious Panda, Trident, and Tick, with most victims of its output residing in a China-neighboring or nearby nation, such as Japan or Russia. Particularly recent tactics employ social engineering by sending fake e-mails purporting to be from the Mongolian Ministry of Foreign Affairs and providing Coronavirus (COVID-19) news. Recipients that open the attached RTF documents subject their PCs to any of RoyalRoad's Equation Editor-based exploits, which install a Remote Access Trojan (in the latest case), an ICEFOG backdoor Trojan, Datper, Derusbi spyware, etc.

Threat actors using RoyalRoad tend to be highly-disciplined and skilled, capable of using advanced techniques like DLL-sideloading and anti-sandbox routines for dodging detection or analysis environments. The exploits in vogue with RoyalRoad are what malware experts indicate as its greatest weakness: CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802. All of them are old and patchable with standard Microsoft security updates.

Stepping Off a Royal Invitation to Trouble

Patching all RTF-compatible document reader software will keep current RoyalRoad exploits from succeeding at delivering their payloads. Users also should stay alert to any schemes theming themselves after local news or immediately-relevant emergencies, such as the Coronavirus hoaxes of Vicious Panda, the phone-hijacking SpyMax RAT, and the screen-locker CovidLock Ransomware. Verify sources before interacting with possibly unsafe documents and other downloads, regardless of how official-looking they might appear.

The payloads of RoyalRoad attacks incline themselves towards long-term compromise and surveillance of infected PCs. Victims should disable Internet connectivity, cut off all access to other systems and storage devices, and change passwords for essential accounts. Unfortunately, some components of its payload, such as the modules in use by Vicious Panda's RAT, require further examination. In combination with RoyalRoad's use by multiple criminal groups, a flawless prediction of the attacks at work after an infection is impossible.

RoyalRoad is a hacking utility and doesn't require direct removal from a victim's PC ordinarily. However, proper anti-malware tools can flag the RTF documents this program creates as threatening and remove RoyalRoad RTFs safely – or block the exploits as they're triggering.

Leaving a road less traveled doesn't have to be a negative thing. While there are all too many users suffering from RoyalRoad's depredations, there's every reason for doublechecking a sender's identity before trusting in a document that looks but may not be legitimate.

Loading...