By GoldSparrow in Malware

The RoyalRoad threat is a hacking tool that serves to create corrupted RTF documents that help the attackers compromise a targeted system. The RoyalRoad malware is known to exploit previously unknown vulnerabilities in the Microsoft Equation Editor service. Malware analysts have spotted various different hacking groups taking advantage of the RoyalRoad threat's capabilities. Among the hacking groups utilizing the RoyalRoad malware are IceFog, Goblin Panda, and Molerats and others.

The operators of the RoyalRoad threat have been using it in various campaigns. One of the more recent high-profile attacks, the RoyalRoad tool, was used against the Mongolian Ministry of Foreign Affairs. The attackers used the RoyalRoad threat to build a customized RTF document that would trick their targets into executing the corrupted file. Many cybercriminals use RTF documents as an infection vector, so this is not an innovative method at all. However, the operators of the RoyalRoad malware inject the payload of the threat in the '\Microsoft\Word\STARTUP' folder, which is not a commonly used technique. Planting the payload of the threat in the aforementioned folder ensures that the RoyalRoad malware will not be executed until the user restarts Microsoft Word. This helps the threat avoid malware debugging environments, making it more difficult for cybersecurity researchers to study and analyze this hacking tool. This technique can also serve as a method to gain persistence in the infected system.

Weaponized Coronavirus Documents Used to Hack Computers

The new attack targets users and scares them with information about the coronavirus outbreak to trick them into downloading and installing malware on their computers.

It’s believed that the attack is the work of a long-running APT group known to attack the private sector and world governments. Their current attack takes advantage of the Covid-19 (coronavirus) pandemic to scare users into infecting themselves.

Information about the attacks shows that hackers are using the Royal Road virus to weaponize their RTF documents. Royal Road was discovered and named by Anomali, and it is an RTF weaponizer that is used to exploit the Equation Editor vulnerabilities found within Microsoft Word.

Some of the RTF documents used in the campaign are written in Mongolian. This fits, as the messages claim to come from the Mongolian Ministry of Foreign Affairs. The hackers claim that the email contains the latest information about coronavirus infections in the area.

Infection Vectors

The vulnerability is exploited as soon as the user opens the RTF document in Word. It creates a new file called Intel.wlll in the Word startup folder.

Intell.wll is one of the most recent versions of RoyalRoad. The DLL file establishes persistence with Royal Road by ensuring that DLL files with the WLL extension run automatically whenever Microsoft Word launches. This command means that users will infect their computers whenever they start Microsoft Word in the future unless the DLL is taken care of and removed.

This infection technique also hides the malware and means it can’t be seen in the sandbox, so users will have a hard time even knowing they have been infected.

Once the Intel.wll DLL loads it then goes on to download the next stage of the infection chain from the C2 server at

The next stage of infection also uses a DLL file to load the main malware network. The network was created by APT hackers to gain extra functionality from other C2 servers.

Researchers say that the malicious loader eventually downloads and decrypts a RAT module as a DLL file. The module is loaded into the memory. This methodology could hint at the possibility of there being other modules used in the overall attack.

The RAT module allows for the malware to perform the following actions:

  • Take screenshots
  • Create a list of files and directories
  • Create and delete directories
  • Download files
  • Move and delete files
  • Run programs and processes
  • Create a list of services

The C&C servers for the malware were hosted on Vultr servers with domains registered through GoDaddy.

If a tool like RoyalRoad is being used by various hacking groups, it usually means that the threat is available publicly. However, this is not the case with the RoyalRoad malware. This tool is not available publicly, which led malware analysts to believe that the hacking groups are either cooperating or there is an individual who is part of several different groups. Using RTF documents to compromise targeted systems is not a new trick, but it is one that proves to be successful over and over again. Users need to be very wary when they receive an email from an unknown source – avoid opening attachments even if they seem harmless at first glance.


Most Viewed