Security experts at Kaspersky Lab have spotted a new backdoor, tracked as Titanium, that was used by the Platinum APT group in attacks in the wild, the malicious code implements sophisticated evasion techniques.
The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.
The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.
In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,
The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012. In June, the Platinum APT group was observed using
Platinum is considered one of the most advanced APT groups with a traditional focus on the APAC region. Its new Titanium backdoor attempt to hide at every stage by mimicking common software.
“During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages.” reads the analysis
Most of the infections associated with the new backdoor were located in South and Southeast Asia.
Experts pointed out that the default attack chain leverage an exploit capable of executing code as a SYSTEM user, a
Kaspersky experts speculated that the Titanium backdoor is delivered through local intranet websites that have been compromised or using a
The backdoor deploys an SFX archive containing a Windows task installation script. A password-protected, encrypted archive is downloaded via BITS Downloader, it is used by the malicious code to install a Windows task to
According to Kaspersky, the attack chain also includes the use of an SFX archive which must be launched from the command line using a password to unpack it.
The backdoor’s paths all masquerade as a common software
“BITS Downloader – This component is used to download encrypted files from the C&C server then decrypt and launch them.” continues the analys
To initialize the connection to the C&C, the malicious code sends a base64-encoded request that includes a unique
The backdoor takes the UserAgent string from the configuration and uses a special cookie generation algorithm to prepare a request. In turn, the C&C sends back a PNG file that contains steganographically hidden data. This C2 encrypts data with the same key as the C&C requests. The data includes the commands for the backdoor and related arguments.
The malware can also get proxy settings from Internet Explorer.
The backdoor supports many commands, including:
“The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and
“Regarding campaign activity, we have not detected any current activity related to the Titanium APT.
(SecurityAffairs – Platinum APT, malware)