VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers

Ghareeb Saad

Anomali, UK

Michael A. Raggi

Proofpoint, USA



Typographers and font designers sometimes quip that the divine fingerprint of the artist exists in the spaces between the letters (‘God is in the Kerning’ – Matteo Bologna). They have also said ‘Nothing made by a human can avoid personal expression’ (Hrant Papazian). Anomali Labs has conducted an in-depth study of the unique object dimensions present in weaponized RTF exploits used in phishing attacks. Through this research we have found that, like typographers, the developers of malicious RTF weaponizers leave behind a unique fingerprint on the malicious phishing attachments they create. This fingerprint can be found in the unique height and width of the malicious objects present in a phishing attachment. So, if God can be found in the kerning, we, as threat researchers, believe that attribution is in the object.

RTF files are among the most popular file formats used in phishing attacks today. Anomali Labs has tracked the unique object dimensions present in 22 RTF exploits for CVE-2018-8570, CVE-2018-0802, CVE-2017-11882, CVE-2017-0199, CVE-2014-1761 and CVE-2012-0158 to gain insight into the adversary’s weaponization process. By identifying the height and width of malicious RTF objects and creating YARA signatures to track them, analysts have identified APT campaigns related to three distinct Chinese APT groups (Temp.Periscope, Temp.Trident and Goblin Panda), one South Asian APT (Sidewinder), and the cybercriminal campaigns of a known Pakistani APT group (Gorgon Group/Subaat). This paper will cover basic RTF object metadata structure, how this data, when unique, can be used to track threat actors, and an in-depth case study of Chinese and Indian APTs utilizing a shared RTF phishing weaponizer to carry out diverse espionage campaigns across Asia and Central Europe.


Exploit supply chain & the need for weaponizer attribution

The use of weaponized exploits in targeted phishing attacks continues to be among the most popular and effective techniques observed by cybersecurity researchers today. The 2019 Verizon DBIR report cites ‘Email Attachment’ as the top malware infection vector in incidents and reports that Office documents and Windows applications are the most common infection vectors [1]. Among the Office documents utilized in cyber attacks, RTF file format is often used for phishing attachments and is regularly observed in espionage campaigns linked to prominent Advanced Persistent Threat (APT) adversaries. Rich Text Format (RTF) is a proprietary document file format created by Microsoft which has found popularity since its creation in 1987. The ubiquity of RTF attachments in APT attacks has led researchers to conduct an in-depth analysis of hundreds of weaponized RTF exploit files. This analysis has resulted in the development of a repeatable process for tracking the malicious files created by RTF phishing weaponizers and has introduced visibility into the threat actors’ supply chain for these weaponizer tools. Often, scripted phishing weaponizers will create malicious documents with predictable object dimensions for certain Common Vulnerability Exposures (CVEs). Based on these artifacts, it is possible to develop YARA detection signatures to allow analysts to study the spread and dissemination of phishing weaponizers across the threat landscape. With this visibility into the weaponization phase of the cyber kill chain, researchers can understand the origination point of weaponizers, which is invaluable for threat actor attribution. Additionally, the ability to detect and track these RTFs is highly advantageous to infosec organizations as it provides attack visibility during the delivery phase of a potential intrusion.

This paper presents a new technique for attributing RTF weaponizers using object dimensions. Researchers have studied more than 6,000 malicious RTF samples and have been able to group and attribute more than 27 different RTF weaponizers using object dimensions. An RTF weaponizer for CVE-2017-11882, CVE-2018-0802 and CVE-2018-0798, dubbed ‘Royal Road’, was discovered being used in espionage campaigns, and ultimately released into the commodity threat landscape. Royal Road is believed to have originated amongst a group of Chinese APTs conducting espionage campaigns from 2017 to 2019. In 2018, it was observed being used by the Indian APT actor Sidewinder, and in 2019 it was seen being adopted by cybercriminal actors. The diffusion of custom weaponizers like Royal Road, from exclusive usage by its developers or purchasers through to its ultimate emergence as a commodity tool, will be explored as a recurring pattern which we refer to as the ‘Weaponizer Life Cycle’.


RTF exploitation

Rich Text Format was developed by Microsoft from 1987 until 2008, and remains supported by Windows, Mac and Linux operating systems. The RTF format was created to enable cross-platform document interchange. This file format has, for years, been a popular target for vulnerability researchers and exploit developers because it can host different object types. The object types include: annotations, fonts, pictures, OLE and SWF. This allows adversaries to deliver exploits from different object types, often by attaching RTF files to phishing emails. The versatility of the RTF format for exploit delivery from different object types has given rise to the following popular CVEs:

  • CVE-2014-1761
  • CVE-2015-7645
  • CVE-2016-4117
  • CVE-2016-1019
  • CVE-2017-0199
  • CVE-2017-8570
  • CVE-2017-11882
  • CVE-2018-0802
  • CVE-2018-0798


RTF tracking and attribution techniques

There are many aspects of RTF files that can be used to conduct analysis or track weaponized exploits for attribution purposes. In this paper we will focus on four specific techniques that can provide insight into both adversary operators and adversary supply chains. These four techniques include the tracking of RTF metadata, shellcode, obfuscation, encoding artifacts and object dimensions.


Metadata & author name

In addition to accommodating objects, RTF files can include metadata ‘Tag ID’ values that can be used to support threat actor attribution. Specifically, analysis of the metadata tag IDs for ‘author’, ‘company’, ‘operator (last modified by)’, ‘title’ and ‘vern’ (internal version number) associated with RTF phishing attachments can provide string values that can be leveraged as indicators of compromise. These metadata tag IDs should be recorded and attributed to a threat actor if observed in multiple campaigns over time, alongside additional overlapping IoCs or tactics techniques and procedures (TTPs). Metadata tag ID values can be observed in the strings of the RTF as well as through proprietary analysis tools such as VirusTotal Enterprise in the description section of an uploaded malware binary. The tag values for author and operator fields are derived from the machine used to create the RTF phishing attachment. In some instances, if the operator is using an application like Microsoft Office to create a weaponized phishing attachment, file compilation will apply the author value associated with the operator’s application to the created malicious file. Additionally, a unique value for the ‘vern’ or internal version number will be applied to all malicious phishing attachments created by that code base. The example shown in Figure 1 from the VirusTotal interface demonstrates a recurring metadata author value that was used by a CVE-2012-0158 phishing weaponizer attributed to the Chinese Goblin Panda APT, also known as Conimes. This technique has been explored at length in a SANS CTI Summit presentation on the topic [2].

Figure1_1.jpg Figure 1: VirusTotal user interface showing RTF metadata author ‘Tag ID’ and strings.

Although RTF metadata tag ID tracking is a useful method, over time, to develop attribution based on RTF attachments in targeted campaigns, there are limitations to this technique. In many cases RTF metadata is fleeting and trivial to alter from campaign to campaign. Often these values are updated to mimic regionally specific personnel at targeted organizations and changed to the native languages spoken by the targets. Additionally, RTF metadata tags are not mandatory values that must be included upon the compilation of an RTF file. In some cases adversaries have removed RTF metadata tag IDs from weaponized RTF attachments upon updating a phishing weaponizer. Based on the inconsistent and non-essential nature of RTF metadata as a social engineering mechanism in weaponized RTFs, this tracking method provides the best visibility, over multiple campaigns, of the operator’s personas and possible targeting intention, while being a fleeting indicator of compromise.



Certain characteristics of the shellcode used to exploit a vulnerability targeted by a malicious RTF can be used to track certain RTF weaponizers. The most common characteristic of shellcode would be certain Return Oriented Programming (ROP) gadgets being used by the exploit or the technique used to drop and execute the payload. While these characteristics are usually permanent and rarely changed, it is usually difficult to develop YARA rules to automatically track them.


Obfuscation artifacts

The Office RTF parser and RTF file specification is very flexible from a development standpoint. One of the most flexible features of an RTF file is the allowance of cascading objects, which can represent data in different formats and escape characters. Exploit developers make use of this functionality to build obfuscated payloads that are still valid when rendered in Office, but which can evade AV engines by representing malicious internal content in formats other than what is most commonly used in AV static signature detection. This has the beneficial secondary outcome of making it harder for analysts to extract or analyse the malicious payload.

Actors often deploy scripts to insert custom obfuscation gadgets into their malicious RTFs. Using these gadgets as strings in YARA signatures is a very useful method for tracking RTFs created for certain campaigns or actors. There are multiple articles and papers discussing RTF obfuscation in detail [3, 4]. Figures 2 to 4 show some examples of RTF obfuscation gadgets that can be used to track malicious RTFs.

 Figure 1_2.JPGFigure 2: Obfuscation gadget present in Royal Road weaponizer version 2.

 Figure 1_3.JPGFigure 3: Example of obfuscation gadget used in malicious RTFs.


Figure 1_4.JPGFigure 4: Example of obfuscation gadget used in malicious RTFs.


Object dimensions and phishing weaponizers

CVEs and exploits are often purchased from digital black markets as Python scripts that can be used to weaponize a lure document. Alternatively, weaponizers have been known to be developed as internal tools for APT organizations. Based on the popularity of Word for rendering email attachments, threat actors usually build their lure ‘.doc’ using a normal Office application and then use the acquired script to inject the malicious RTF object into the lure document once it has been created.

Based on RTF specifications, any object that has a graphical representation (which will most commonly be rendered in Word) needs to specify the object dimension as part of the RTF object header. This is to say that the object height and width for graphic representation are included in the strings of the compiled RTF file to ensure that an error will not occur when attempting to load the object. Table 1 includes a list of the object dimensions and attributes that can be included in an RTF object header at the time of compilation.

Object size, position, cropping and scaling  
\objhN N is the original object height in twips, assuming the object has a graphical representation.
\objwN N is the original object width in twips, assuming the object has a graphical representation.
\objsetsize Forces the object server to set the object’s dimensions to those specified by the client.
\objalignN N is the distance in twips from the left edge of the objects that should be aligned on a tab stop. This is needed to place Equation Editor equations correctly in line.
\objtransyN N is the distance in twips the objects should be moved vertically with respect to the baseline. This is needed to place MathType equations correctly in line.
\objcroptN N is the top cropping distance in twips.
\objcropbN N is the bottom cropping distance in twips.
\objcroplN N is the left cropping distance in twips.
\objcroprN N is the right cropping distance in twips.
\objscalexN N is the horizontal scaling percentage.
\objscaleyN N is the vertical scaling percentage.

Table 1: Object dimensions and attributes that may be present in RTF header.

If the malicious RTF exploit object has a graphical representation (most phishing attachments do), the object dimensions are crafted inside the weaponizer script and included in the strings of the malicious RTF exploit. An extended study of multiple RTF weaponizers and malicious RTF files targeting numerous vulnerabilities proved that the object dimension are very often unique numbers. Specifically, the object height and width were frequently found to be unique and it was observed that they never changed across the usage of certain weaponizers, even in instances when the weaponizer was being utilized by multiple actors deploying diverse shellcode. Whereas the RTF obfuscation and final delivered payload may change, the RTF object dimensions were found to remain constant.

Interestingly, RTF object dimensions are rarely used by anti-virus (AV) engines to detect malicious RTF files. This current lack of object dimension-based detection may be why developers do not need to change object dimension to bypass AV engines. On the other hand, metadata, obfuscation and shellcode (all used in other attribution techniques) tend to be changed regularly by actors attempting to bypass AV detection. We noticed in multiple cases that, even when the actors were very successful in updating their weaponizer to provide better AV detection evasion, a simple YARA rule tracking the object dimension was able to find the malicious RTF created by a new version of the weaponizer. Figure 5, is the strings section from a malicious RTF sample created by the Royal Road RTF weaponizer. We successfully tracked samples created by this weaponizer via a YARA rule to detect the unique object dimensions. The static AV detections in VirusTotal, which are shown in Figure 6, failed to detect many of these samples with accuracy. Specifically, in the sample included in Figure 6, only one AV engine identified the sample as an exploit for CVE-2017-11882. Adversaries were likely able to evade AV detection by manipulating the shellcode and employing updated obfuscation techniques. The use of YARA signatures to detect object dimensions for phishing weaponizers provides researchers with a way to identify malicious RTFs that is independent of adversary obfuscation attempts.

Figure 1_6.JPGFigure 5: Object dimension strings from a Royal Road version 2 sample.


Figure 1_7.JPG Figure 6: VirusTotal AV detection for Conimes / Goblin Panda RTF sample identified via YARA signature for RTF object dimensions ‘objh2180/objw300’.

The tracking of RTF object dimensions has led researchers to identify 27 unique weaponizers that include APT, cybercriminal and public tools. Of the over 6,000 malicious RTF files analysed, 4,445 contained unique object dimensions. This demonstrates how distinct object dimensions are per weaponized RTF sample and reinforces that a cluster of shared object dimensions between samples is an indication that they were likely created by the same weaponizer.


Comparing RTF attribution techniques: pros and cons

Technique Pros Cons
Metadata and author name (fleeting & operator‑centric) Operator-centric
Provides context via social engineering content and language of targets (‘human fingerprint’)
Can be used to track specific campaigns
Easy to track
Trivial to change
Not required in all weaponized files
Regularly evolving
RTF obfuscation artifacts (evolving & supply-chain-centric) Unique to shellcode developer
Can facilitate attribution and correlations between threat actors
Easy to track using YARA rules
Regularly evolving with high turnover so threat actors can bypass AV detection
Shellcode (permanent & operator-centric) A more permanent actor artifact to track
Usually specific to a single actor
Difficult for actors to change entirely
Complex to create a signature, specifically utilizing YARA rules to track shellcode
Object dimensions (permanent & supply-chain-centric) Very specific to weaponizer developer & exploit supplier
Does not change regularly
Allows attribution of a shared exploit supply chain
Maps relations between different connected groups
Does not provide operator visibility
If multiple actors are using the weaponizer it does not provide deeper attribution to a specific group

Table 2: Comparison of RTF attribution techniques.

 Figure 1_8.png

Figure 7: Quadrant view of permanence versus operational visibility in RTF attribution techniques.


The Royal Road weaponizer

Researchers have identified a unique phishing weaponizer that, to date, has been utilized in Chinese and South Asian APT targeted attacks, as well as in cybercriminal campaigns. The weaponizer, which has been dubbed ‘Royal Road’, is believed to be a code base capable of creating weaponized RTF exploits complete with believable lure content for CVE-2017-11882, CVE-2018-0802 and CVE-2018-0798. This weaponizer has primarily been used by Chinese APT actors in espionage campaigns supporting intelligence requirements for the Belt and Road Initiative in Central Asia, Russia, Vietnam and Mongolia, but also with the targeting of US maritime, academic and defence sectors. Specifically, the weaponizer can be identified by the unique object dimensions objh2180/objw300 appearing in the malicious RTF’s strings. Further variations of this weaponizer can be identified by the object data which follows the object dimensions, the metadata associated with the RTF files, and an examination of post-exploitation infection techniques utilized by disparate threat actors.

Versions of the Royal Road tool weaponize RTF files to exploit CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798, which affect the Microsoft Equation Editor. CVE-2017-11882 and CVE-2018-0802 were patched by Microsoft in November 2017 and January 2018, respectively. The lesser‑known CVE-2018-0798 was also patched in January 2018. Since then, RTF files exploiting these vulnerabilities in malspam campaigns pushing malware like LokiBot and Formbook have been well documented. By now, exploits for Equation Editor vulnerabilities are old news, and more than 1,000 samples have been submitted to VirusTotal since November 2017. Chinese APT threat actors adapted these popular vulnerabilities into exploits immediately following their disclosure by Microsoft. The use of a specific weaponizer to exploit well-known vulnerabilities allows analysts both to attribute In-the-Wild (ItW) samples and to gain insight into the supply chain associated with numerous APTs across international boundaries.


Distinguishing between Royal Road versions

All identified weaponized RTF samples created by the Royal Road tool were found to share the unique RTF object dimensions objh2180/objw300. This shared dimension allowed us to draw connections between diverse samples created by the tool, as variation exists between different versions of the weaponizer which include unique object data spanning five distinct versions. Additionally, two distinct methods for executing post-exploitation payloads were found, which serve as the primary method for distinguishing between Chinese APT activity and activity associated with the Sidewinder APT. Finally, further variation was identified and documented in the methods used amongst disparate Chinese APTs to perform DLL side-loading following execution.

Four distinct clusters of Chinese APT activity have been observed utilizing RTF files that contain the Royal Road unique object dimensions. Version 1 utilizes the object data string objw2180\objh300{\*\objclass Equation.3}{\*\objdata 01050000020000000B0000004571756174 and exploits CVE-2017-11882. Versions 2 and 4 utilize the object data string objw2180\objh300{\objdata 554567{\*\objdata 01050000020000000B0000004571756174696F6E2E and exploit both CVE-2017-11882 and CVE-2018-0802. Several of these APT groups have utilized exploits for both CVE-2017-11882 (two versions) and CVE-2018-0802 at different times, representing a shared and evolving supply chain between Chinese threat actors. Version 4 of the Royal Road weaponizer was observed being utilized by the Sidewinder APT group, using the object data string objw2180\objh300{\objdata 554567{{\*\objdata 1389E614020000000B0000004571756174696F6E2 to exploit CVE-2017-11882. This string is highly similar to the object data string from Royal Road versions 2 and 4.

A fifth variation of the Royal Road builder was also observed in use by Chinese APT actors. The analysed RTF files share the same object dimension (objw2180\objh300) as used to track the RTF weaponizer. However, in this case the samples were not exploiting CVE-2017-11882 or CVE-2018-0802. After further analysis, it was discovered that the RTF files were exploiting the CVE-2018-0798 vulnerability in Microsoft’s Equation Editor (EQNEDT32). CVE-2018-0798 does not appear to be commonly exploited in the wild, even though is more reliable than its better-known Equation Editor RCE counterparts. Its reliability is rooted in its efficacy among all Microsoft Word versions that include the Equation Editor. Its counterparts CVE-2017-11882 and CVE-2018-0802 are limited to specific versions based on the patches that have been deployed. CVE-2017-11882 is only exploitable on an unpatched version prior to its fix, and CVE-2018-0802 is only exploitable on the version released to fix CVE-2017-11882. In contrast, a threat actor utilizing CVE-2018-0798 has a higher likelihood of success because it is not limited by version. Files containing the Royal Road object dimensions and the following string have been classified as Royal Road v5: objw2180\objh300\objdata\object 5154\781\'e56\'2f7\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01.

Version Object string Description
Royal Road v1 objw2180\objh300{\*\objclass Equation.3}{\*\objdata 01050000020000000B0000004571756174 No obfuscation
Exploits CVE-2017-11882
8.t post-exploitation technique & execution of shellcode
Used by Chinese APTs
Temp.Periscope and Goblin Panda
Royal Road v2 objw2180\objh300{\objdata 554567{\*\objdata 01050000020000000B0000004571756174696F6E2E Started using RTF obfuscation gadgets to evade AV detection
8.t post-exploitation technique & execution of shellcode
Exploits CVE-2017-11882
Used by Chinese APTs Nomad Panda, Dagger Panda and Goblin Panda
Royal Road v3 (Sidewinder) objw2180\objh300{\objdata 554567{{\*\objdata 1389E614020000000B0000004571756174696F6E2 Similar RTF obfuscation gadgets to v2
Post-exploitation uses HTA download & execution of shellcode
Exploits CVE-2017-11882
Used by Sidewinder APT
Royal Road v4 objw2180\objh300{\objdata 554567{\*\objdata 01050000020000000b0000004571756174696f6e2 Similar RTF obfuscation gadgets to v2.
8.t post-exploitation technique & execution of shellcode
Exploits CVE-2018-0802
Used by Nomad Panda, Dagger Panda, Goblin Panda, the group responsible for the Reaver malware, and Temp.Hex
Royal Road v5 objw2180\objh300\objdata\object 5154\781\’e56\’2f7\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01 8.t post-exploitation technique & execution of shellcode
Exploits CVE-2018-0798
Used by Nomad Panda, Dagger Panda, Goblin Panda, and Temp.Hex

Table 3: Table comparing the different versions of Royal Road weaponizer.

Among the Chinese groups to use Royal Road are the APTs Goblin Panda (Conimes), Temp.Trident (Dagger Panda and Nomad Panda, Ice Fog), Temp.Periscope (APT40, Leviathan, MudCarp), the APT group associated with the Reaver malware, and Temp.Hex (Maudi Surveillance Operation). Goblin Panda (Conimes) has historically targeted Vietnam, utilizing Royal Road RTF phishing attachments to deliver a payload identified as ‘QCRat’. This payload is identifiable via the vulnerable McAfee DLL that was utilized for DLL side-loading (QCLite.dll and QCConsol.exe). This group has subsequently utilized additional malicious PE files side-loaded by legitimate dynamic-link libraries (DLLs) as well as PowerShell scripts in phishing campaigns to deliver malware families including Newcore RAT and Gh0st. Royal Road RTF samples are often attributable to Conimes by their distinctive Vietnamese language lures and file names, as well as through recognizable post-infection DLL side-loading techniques.

Actor Targeting Potential motivation Methodology Unique tools
Goblin Panda (Conimes) Vietnam and Southeast Asia Espionage aligned with commercial and South China Sea issues RTF phishing followed by shellcode executed via an OLE package dropping distinctive source file 8.t QCRat Gh0st Newcore
Temp.Periscope (APT40, Leviathan, MudCarp) US Defence; maritime; academic institutions; international & political organizations Intellectual property theft and military espionage RTF phishing followed by shellcode executed via an OLE package dropping distinctive source file 8.t DadBod EvilTech AirBreak HomeFry MurkyTop
Nomad Panda & Dagger Panda
(Temp.Trident, Icefog)
Mongolia and Central Asia Economic espionage for Belt & Road Initiative RTF phishing followed by shellcode executed via an OLE package dropping distinctive source file 8.t Fucobha Icefog (shared) Gh0st
Temp.Hex (The Maudi Surveillance Operation [5]) Mongolia Local Chinese interests, human rights activists, Mongolian diplomatic affairs RTF phishing followed by shellcode executed via an OLE package dropping distinctive source file 8.t FireShadow Poison Ivy Maudi Tool Suite
APT responsible for the Reaver malware SE Asia and India. Areas associated with dissidents tied to the Chinese Five Poisons Five Poisons targeting RTF phishing followed by shellcode executed via an OLE package dropping distinctive source file 8.t Reaver
Sun Orcal

Table 4: Table characterizing Chinese APT groups utilizing the Royal Road weaponizer.

Temp.Periscope (APT40, Leviathan) has historically targeted US and international institutions associated with naval and maritime issues affecting the South China Sea while supporting the theft of intellectual property. This was the first group observed utilizing the Royal Road weaponizer, however, it appears to have ceased using it around December 2017 following patch adoption for CVE-2017-11882.

Temp.Trident (Dagger Panda & Nomad Panda, Icefog) has historically targeted the Mongolia region (Dagger Panda) alongside Russia and Central Asia (Nomad Panda), likely as part of economic espionage efforts in support of the Chinese Belt and Road Initiative. Versions of the custom payload ‘Fucobha’ or ‘Icefog’, which was first identified in 2013, have been identified as part of these campaigns. These campaigns have also leveraged more common payloads utilized by Chinese APT groups like Gh0st RAT. Historically, Royal Road RTF samples attributed to this APT have included distinctive RTF metadata author information that recurs across campaigns.

The APT group responsible for the Reaver and Sun Orcal malware is also believed to utilize the Royal Road exploit builder. This group was the first to be observed utilizing Royal Road v4, which exploited CVE-2018-0802. Historically, this group is known to target groups that oppose the Chinese governmental doctrine of ‘One China’. The targeted groups are often referred to as ‘the Five Poisons’ and include acolytes of Falun Gong, Muslim Uyghurs, supporters of Chinese democracy, supporters of an independent Taiwan, and Tibetans. Since these groups consist primarily of dissidents, the geography associated with Reaver and Sun Orcal targeting is diverse and is believed to be any location where these populations reside. Researchers at Cylance publicized Reaver RTF exploits built using the Royal Road tool in May 2019 and reinforced the observation of tool sharing among Chinese APT groups at that time [6].

Another Chinese APT group known to target Mongolia has been identified through this research. The APT known as Temp.Hex and the Maudi Surveillance Operation has been observed utilizing the Royal Road v5 weaponizer. In addition to these distinct Chinese APTs using a common RTF weaponizer, they all share a common post-exploitation execution technique. Rather than downloading and executing a malicious file, the RTF document drops and executes shellcode via an encoded OLE package which then drops a distinctive source file named ‘8.t’ to execute a payload. This method was identified earlier by security analysts in open sources. Anomali Threat Research identified the presence of the unique object dimension objw871\\objh811\\objscalex8\\objscaley8 in RTF files involved with this post-exploitation method. Signature alerts for this object’s dimensions indicate the use of the 8.t exploitation technique. The presence of both a shared phishing weaponizer and a shared post-exploitation execution technique between these groups is indicative of a significant TTP overlap. It is noteworthy that, after the use of the 8.t source file that is dropped to the temp directory, different files, registries and DLLs are used to execute the malicious payload on the host. The weaponizer and exploitation techniques are shared, but different post‑infection techniques and payloads are utilized. Varying degrees of overlap have been observed between the post-exploitation techniques of the five Chinese APTs using the Royal Road weaponizer.

An attribution timeline of publicly available samples is shown in Figure 8.

Figure 1_9.pngFigure 8: Attribution timeline of public Royal Road RTF samples.

Unlike the Chinese groups, limited use of the Royal Road weaponizer by the Indian APT actor Sidewinder has been observed. Only version 3 of the weaponizer and three total samples have been observed. Specifically, the RTF exploit for CVE-2017-11882 utilized by Sidewinder contains the string objw2180\objh300{\objdata 554567{{\*\objdata 1389E614020000000B0000004571756174696F6E2. These dimensions and format are notably similar to the format observed in the Royal Road CVE-2017-11882 v2 tool used by Chinese groups with only the object data obfuscation gadget varying between the samples. The post-exploitation methodology used by the Sidewinder operators deviates completely from what is utilized by other APT groups. The RTF downloads and executes a payload via an HTA file. The Sidewinder APT has historically targeted organizations linked to the Pakistani Military and is believed by security researchers to be an actor associated with Indian espionage interests, possibly operating as a contractor in the space. However, the use of weaponized RTF files with unique object dimensions in phishing campaigns relies on the successful exploitation of CVE-2017-11882, in which the opened RTF file downloads and executes HTA files on the victim’s machine. Primarily English language phishing files that utilize topics involving the military borders of India, China and Pakistan were weaponized and required execution by the victim to pull down additional files including a malicious HTA file. Once the HTA file was downloaded from a C2 domain and executed, a PowerShell payload contained in the HTA file was executed on the victim’s system. Another noteworthy aspect of the use of the Royal Road weaponizer by the Sidewinder APT is that it was extremely brief. Three samples have been identified from mid-2018. Subsequent Sidewinder campaigns have been identified which suggest that the group is no longer utilizing RTF files as their initial phishing attachments, but are rather using ‘.docx’ files which download RTFs that exploit the Equation Editor exploit CVE-2017-11882. These new RTFs do not contain object dimensions.

Utilization of the Royal Road weaponizer v5 exploiting CVE-2018-0798 was attributed to Temp.Trident (Nomad Panda and Dagger Panda), Conimes (Goblin Panda) and Temp.Hex. Researchers were able to identify multiple samples of malicious RTF documents using this weaponizer in the wild. However, determining a precise date of first use is challenging. Some of the analysed samples have a creation date of 19 November 2017 (five days after a patch was released for CVE-2017-11882) – however, that date appears to be manipulated based on the recent compilation dates of the payloads observed, many of which date to 2019. Researchers place a likely date of first usage in the wild around October 2018 based on a sample (e228045ef57fb8cc1226b62ada7eee9b) with a VirusTotal submission date of 29 October 2018 with the RTF creation time of 23 October 2018. This earliest observed sample has been attributed to Conimes. Multiple samples analysed by security researchers that we associate with CVE-2018-0798 have been mentioned in previous instances and detection signatures by others in the security community. We believe that some of these samples were misattributed to CVE-2017-11882 or CVE-2018-0802 based on their exploitation of the Equation Editor, despite being classified as CVE-2018-0798.


Commodity actors adopt Royal Road

After the brief utilization of Royal Road by the Sidewinder APT and its continuous utilization by Chinese APT groups, a new pattern of usage emerged. On 10 March 2019, analysts discovered a new man-in-the-middle (MitM) phishing campaign that appeared ultimately to deliver the Formbook malware via CVE-2017-11882 RTF exploits. The campaign delivered malicious attachments to users in the address books of compromised victims. These weaponized RTF attachments included the object dimensions of the Royal Road weaponizer, objw2180\\objh300, along with additional object dimensions objw1479\\objh975.

Figure 1_10.JPGFigure 9: Unique object dimensions present in weaponized commodity RTF attachments.

The malicious emails, while sharing a broad geographic clustering, did not appear to be targeted in nature because victims existed in different sectors and the phishing lures were found to have commodity purchase order and invoice themes. The use of the Formbook malware in MitM phishing attacks is not unique in itself. However, the tool that threat actors used to weaponize RTF phishing attachments for this campaign had only previously been used by the Chinese and Indian APT actors noted previously.

A similar campaign was observed on 6 May 2019 utilizing a tariff-themed phishing lure. After the user had executed the malicious RTF attachment it exploited CVE-2017-11882. This gave access to the svchost.exe and wmiprvse.exe processes via Remote Process Calls (RPCs). Wmiprvse.exe then spawns a command line shell as a child process that is used to execute the file ‘~afer125419.tmp’. This file is created on the host by a Visual Basic script that was previously downloaded from the Pastebin URL pastebin[.]com/raw/9t3R1Ng5 by the malicious RTF.

Figure 1_11.JPGFigure 10: VBScript used to create malicious ~afer125419.tmp file.

In some samples from this campaign, the VBScript was found within a malicious HTA file that was downloaded directly from a C2 domain by the initial malicious RTF rather than from the above-referenced Pastebin URL. Notably, each of the malicious RTF files includes the RTF metadata author tag ‘n3o’. This metadata information has been associated with malicious purchase order and invoice phishing campaigns since at least 2017. Specifically, the ‘n3o’ metadata author tag has been present in identified RTF phishing files that exploited Equation Editor vulnerabilities (CVE-2017-11882 and CVE-2018-0802) from both May 2018 [7] and December 2018.

The adoption of Royal Road by an additional commodity actor occurred in April 2019. The object dimensions objw2180\\objh300 were seen in a malspam campaign which appears to have delivered the commodity ransomware Osiris, which is an older variant of the Locky ransomware. The campaign leveraged IT themes within its phishing lures and specifically referenced a Samsung printer [8]. The weaponized RTFs all included the metadata author tag ‘wuyan’ and included phishing lure themes from invoices, to payment documents and purchase orders. ‘Wuyan’ is also a known metadata author tag that has been associated with commodity campaigns that did not utilize the Royal Road weaponizer.


Weaponizer life cycle

Phishing weaponizers are created, sold and distributed in the cyber threat landscape in a similar fashion to zero-day vulnerabilities and proof-of-concept (PoC) exploits. Like zero-day exploits, a weaponizer tool consisting of code that builds phishing exploits that target vulnerabilities has the most value (both in monetary and operational terms) prior to a vulnerability’s disclosure. During this period often a single sophisticated actor is seen developing a weaponizer for a zero-day that has been identified through targeted vulnerability research. Upon a vulnerability’s disclosure by a PoC or product vendor, a period of rapid tool development by multiple actors often occurs during the time when a vulnerability is unpatched (‘1 Day’) and during the initial 90 days following the release of a patch. Ninety days is a common duration for patch implementation at large enterprises, however, patching may occur faster or slower based on criticality prioritization within an organization. The current US Department of Defense Cybersecurity Discipline Implementation Plan strives to have all systems patched within 21 days of patch release and provides for the network removal of high-risk unpatched devices after a 120-day period [9]. During the initial patch-adoption period, targeted phishing attacks for a disclosed vulnerability will have a high success rate based on the limited degree of deployed patches in the threat landscape. Therefore, the largest number of new weaponizers for a specific vulnerability will be observed during this period.

Following the initial patch-adoption period, continued adoption, innovation, and diffusion of weaponizer tools is often observed with usage by less sophisticated actors including cybercriminal and commodity adversaries involved with malspam distribution. This adoption of once-sophisticated weaponizers by unsophisticated actors is accompanied by a decrease in the effectiveness of the targeted attacks that make use of the weaponizer because the number of patched machines rises over time. Although less effective in targeted attacks, late-stage weaponizer usage for large-scale, untargeted commodity campaigns like malspam allow additional value to be derived from a weaponizer like Royal Road. Late-stage actor adoption of such tools can be further driven by the publication of research that may include both samples and code writeups, allowing adversaries to adopt or recreate the published weaponizer.

The diagram shown in Figure 11 maps the adoption of the Royal Road weaponizer for CVE-2017-11882, CVE-2018-0802 and CVE-2018-0798 by multiple APT and cybercriminal adversaries. Royal Road has not been found to be a tool that exploited these CVEs as zero-days. CVE-2017-11882 and CVE-2018-0802 were disclosed in the threat landscape and patched by Microsoft in close succession. It is likely that sophisticated APT groups like Temp.Periscope immediately began developing or purchased a functional weaponizer for CVE-2017-11882 in the days following disclosure. This conclusion is based on the first functional Royal Road sample being observed just four days after the disclosure of CVE-2017-11882. Conimes/Goblin Panda was also seen utilizing the same weaponizer and post-infection DLL hijacking methodology within the initial 90-day patching cycle. Meanwhile, the APT group responsible for Reaver malware was found to be utilizing a functional exploit for CVE-2018-0802 created by the Royal Road builder within 90 days of initial exploit disclosure.

Figure 1_12_updated.jpgFigure 11: Royal Road adoption timeline.

Following the initial patching period, new variations of the Royal Road weaponizer began to emerge, with Goblin Panda and Nomad Panda deploying an updated version that exploited CVE-2017-11882. These Chinese APT groups were subsequently observed adopting the Royal Road weaponizer version that now exploited CVE-2018-0802, first used by the Reaver Group. The Sidewinder APT, which is believed to originate from South Asia, was also seen briefly utilizing a different version of the Royal Road weaponizer for CVE-2017-11882 following the initial 90 days after patch disclosure.

The usage of the Royal Road version 4 weaponizer for CVE-2018-0802 persisted past the initial patching period and also continued following Anomali’s publication regarding the Royal Road tool that was released in February 2019 [10]. Interestingly, in the period following publication, an additional cluster of phishing emails using Royal Road version 5 were identified targeting Mongolian speakers that appeared to be related to a Chinese APT group referred to as Temp.Hex by FireEye and the Maudi Surveillance Operation by Norman Shark. Specifically, a Royal Road RTF attachment named ‘Цэргийн багийн 8 ээлж ашиглагдах утасны дугаарын жагсаалт.doc’, which translates to ‘List of telephone numbers to be used in the 8th Military Team.doc’ (1e78ebbfb5fd1ee66f44030d52f80806d184e6daa00dd7aaa1a30b53c629912d) was found to utilize the C2 mtanews.vzglagtime[.]net, which resolved to the IP 217.69.8[.]255 at the time of analysis [11]. The same IP was observed to be the C2 host used by a FIRESHADOW malware payload in a campaign in January 2019 which FireEye attributed to Temp.Hex and identified as targeting Mongolian transportation and telecommunications sectors. Additionally, another RTF file that FireEye associates with that January campaign (5cc1272272a6de91e1c43832f289c73f) utilizes the same post-infection mechanism for DLL side-loading as the above Royal Road sample. The samples drop the encoded 8.t file to the temp folder. When this file is decoded it is the malicious executable winhelp.wll. The malicious EXE is then copied to the following directory as %APPDATA%\Intel\Intel(R) Processor Graphics\RasTls.dll and side-loaded using the legitimate executable IntelGraphicsController.exe. It is worth noting that the malicious executable file name ‘winhelp.wll’ has historically been observed in campaigns linked to Dagger Panda and Nomad Panda as well.

While the functional CVE-2017-11882 and CVE-2018-0802 were in rapid development by the groups Conimes, Temp.Periscope and Reaver following their initial disclosure, a slower adoption was observed for CVE-2018-0798. This vulnerability, which also targeted the Equation Editor, was utilized by threat actors following the initial 90-day disclosure period. Although the exact date of actor adoption is not known for CVE-2018-0798 samples, since the earliest testing samples appear to be timestomped with dates from 2017, we believe ItW samples emerged in October 2018. The version 5 Royal Road weaponizer identifiable by the obfuscation gadget string objw2180\objh300\objdata\object 5154\781\'e56\'2f7\objdata 01050000020000000b0000004571756174696f6e2e33000000000000000000002e0000d01 was seen twice in October 2018. This use continued intermittently until April 2019. Following this adoption, Royal Road version 5 exploiting CVE-2018-0798 weaponized RTF files became more ubiquitous among the APT groups, with Temp.Hex and Temp.Trident incorporating the tool in their tactics.

Finally, following the Anomali publication on the Royal Road weaponizer, and for the first time since its initial emergence in November 2017, the Royal Road object dimensions began to appear in commodity campaigns delivering malicious RTF files weaponized for CVE-2017-11882. Appearing first in March 2019 and continuing until June 2019, the timing of this release in the commodity landscape is striking. Although unsubstantiated at this time, it is possible that, following the Anomali publication about the Royal Road weaponizer, the exploit was released or sold for use by an exploit broker to commodity actors. Whereas the value of an exploit builder is greatest when no one knows of the vulnerability, its value is lowest when in-depth knowledge and detection signatures for a tool have been published. Researchers reiterate that this possibility remains unsubstantiated at this time and recognize that adoption of such a tool by both commodity and Indian APT actors could be the result of reverse engineering a sample encountered through fourth/Nth-party collection. Intermittent use of the Royal Road weaponizer in commodity phishing campaigns does not inform the origin of the tool as being created by an exploit broker or an APT developer. However, its commodity emergence does suggest an attempt to derive broader value from a tool following an open-source publication which previously documented it as part of multiple APT toolkits.


Additional threat activity clusters based on RTF object dimensions

Researchers identified an additional 26 clusters of activity identifiable by their unique object dimensions, as show in Figure 12. It is believed that each of the unique object dimensions and their correlated activity represent a phishing weaponizer being utilized in the wild. The identified activity includes additional weaponizers utilized by the APT groups responsible for the Reaver malware and the criminal campaigns dubbed ‘Gorgon Group’ by Palo Alto Networks (believed to be associated with the Pakistani APT group Subaat) [12, 13]. Several commodity and unidentified weaponizers were observed that are primarily in use as part of malspam and banking trojan campaigns. Additionally, three public phishing weaponizers were identified in open source as PoCs or GitHub projects which have been utilized in a range of campaigns including both cybercriminal and APT activity.

Figure 1_13.JPGFigure 12: 26 additional RTF weaponizers identified using unique object dimensions.



The application of RTF attribution techniques across over 6,000 samples has ultimately identified 27 RTF weaponizers, 18 months of targeted APT activity spanning six adversaries, and has demonstrated the value derived from the analysis of unique object dimensions. While the continued analysis of other aspects of the RTF file format – including metadata, shellcode and obfuscation – remains valuable, object dimensions provide a unique visibility into weaponizer tool usage in the threat landscape. The relative ease and significant return of YARA signatures tracking these dimensions provides network defenders a high-veracity, repeatable method for identifying malicious RTF phishing attachments. This high-value boon to defenders is augmented by the long-term strategic context that tracking object dimension can offer as part of threat actor profiling. Should these object dimensions remain relatively obscure in the static detections employed by anti-virus signatures and therefore insignificant in the eyes of threat actors, we believe that attribution will remain in the object.



[1] 2019 Data Breach Investigations Report. May 8, 2019. https://enterprise.verizon.com/resources/reports/dbir/.

[2] Raggi, M. A. Schrodinger’s Backslash: Tracking the Chinese APT Goblin Panda Using RTF Metadata. SANS Cyber Threat Intelligence Summit. January 22, 2019. https://www.sans.org/cyber-security-summit/archives/file/summit_archive_1548184559.pdf.

[3] Yang, J. How RTF Malware Evades Static Signature-based Detection. FireEye Threat Research. May 20, 2016. https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html.

[4] Larin, B. How RTF Malware Evades Static Signature-based Detection. Disappearing Bytes: Reverse Engineering the MS Office RTF Parser. February 21, 2018. https://securelist.com/disappearing-bytes/84017/.

[5] Fagerland, S. The Chinese Malware Complexes: The Maudi Surveillance Operation. Seebug.org. 2012. https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf.

[6] Cylance Research and Intelligence Team. Reaver: Mapping Connections Between Disparate Chinese APT Groups. Threat Vector. May 14, 2019. https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html.

[7] https://github.com/decalage2/oletools/issues/307; https://www.anquanke.com/post/id/168455.

[8] Scan from a Samsung MFP Malspam Delivers Locky Osiris. My Security Online. December 08, 2016. https://myonlinesecurity.co.uk/scan-from-a-samsung-mfp-malspam-delivers-locky-osiris/.

[9] United States Department of Defense. DoD Cybersecurity Discipline Implementation Plan. February 2016. https://dodcio.defense.gov/Portals/0/Documents/Cyber/CyberDis-ImpPlan.pdf.

[10] Raggi, M. A.; Saad, G. Analyzing Digital QuarterMasters in Asia. Anomali Blog. March 2019. https://www.anomali.com/blog/analyzing-digital-quartermasters-in-asia-do-chinese-and-indian-apts-have-a-shared-supply-chain.

[11] Beaumont, K. Twitter. April 17, 2019. https://twitter.com/GossiTheDog/statuses/1118478326908248064.

[12] Falcone, R.; Fuertes, D.; Grunzweig, J.; Wilhoit, K. The Gorgon Group: Slithering Between Nation State and Cybercrime. Unit 42. August 08, 2018. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/.

[13] Falcone, R.; Ash, B. Aggah Campaign: Bit.ly, BlogSpot, and Pastebin Used for C2 in Large Scale Campaign. Unit 42. April 17, 2019. https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/.


YARA signatures

rule Royal_Road_RTF_weaponizer
    author        = "Anomali"
    tlp           = "GREEN"
    version       = "2.0"
    date          = "2018-11-10"
    hash          = "9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e"
    description   = "Detects malicious Royal Road RTF from object dimension"
$S1= "objw2180\\objh300"
$RTF= "{\\rt"
$RTF at 0 and $S1
rule RTF_Malicous_Object_8.t_Chinese_APT_Activity
    author        = "Anomali"
    tlp           = "GREEN"
    version       = "2.0"
    date          = "2018-11-10"
    hash          = "9d0c4ec62abe79e754eaa2fd7696f98441bc783781d8656065cddfae3dbf503e"
    description   = "Detects malicious RTF from object dimension indicating 8.t post infection mechanism"
$S1= "objw871\\objh811\\objscalex8\\objscaley8"
$RTF= "{\\rt"
$RTF at 0 and $S1


Indicators of Compromise

Goblin Panda / Conimes









Temp.Periscope / Leviathan / APT40






Unattributed (Chinese APT) samples



Sidewinder APT



Formbook ‘n3o’ commodity campaigns




Wuyan commodity campaigns


Download PDF



Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.