Experts from Kaspersky have linked the Platinum APT group with cyber attacks involving an elaborate, and new steganographic technique used to hide communications with C2 servers.
The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.
The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.
In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,
The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012.
“In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels.” reads the analysis published by the expert. “The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen
The attack chain starts with WMI subscriptions to run an initial PowerShell downloader and fetch another small PowerShell backdoor for system fingerprinting and downloading additional code.
The initial WMI PowerShell scripts observed in different attacks were using different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption and different active hours.
Threat actor located the C&C addresses on free hosting services, they used a large number of Dropbox accounts for storing the malicious code and store exfiltrated data.
Kaspersky spotted a backdoor while investigating another threat, further analysis allowed its experts to discover that it was a second stage malware used in one of the Platinum campaigns.
“We were able to find a
The researchers discovered that in the two attacks, it was used the same domain to store
Hackers used a dropper to install the steganography backdoor, the malicious code creates directories for the backdoor and saves backdoor-related files in these folders. Then the dropper runs the backdoor, implements a persistence mechanism, and then removes itself.
Once the backdoor is installed on a target machine, it will connect to C&C server and downloads an HTML page that contains embedded commands that are encrypted with a key that is also embedded into the page.
“The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two
One of the steganography techniques used by the threat actors is based on the principle that HTML is indifferent to the order of tag attributes. The malicious code is able to decode line by line and collects an encryption key for the encoded data that are embedded in the page right after the HTML tags. Data are encoded with a second steganography technique.
The backdoor supports several commands, it could upload, download and execute files, handle requests for lists of processes and directories, upgrade and uninstall itself, and change the configuration file.
The analysis also revealed another tool used as a configuration manager that allows creating configuration and command files for the backdoors. The utility is able to configure more than 150 options.
Experts also discovered a P2P backdoor that has many similarities with the previous one, it uses the same command names and the same names of options in the configuration files.
“However, there are significant differences, too. The new
The backdoor is able to sniff network traffic without keeping any socket in listening mode, it creates a listening socket every time someone attempts to connect.
According to the experts, the backdoor might have been active since at least 2012.
“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier.” concludes Kaspersky. ” Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active. “