A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.
Active for at least a decade but only detailed in 2016, Platinum is a cyber-espionage group mainly focused on the Asia-Pacific region. The hackers are known for the targeting of government organizations, intelligence agencies, defense institutes and ISPs.
Recently, Kaspersky’s security researchers discovered Titanium, a new Platinum-related backdoor that uses a sophisticated multi-stage execution approach, where each step masquerades as common software, including sound driver, protection-related, or DVD video creation software.
The attackers targeted victims in South and Southeast Asia, in line with previous campaigns associated with the group.
The default distribution includes an exploit to execute code as SYSTEM, a shellcode to download the next downloader, a dropper to fetch an SFX archive containing a Windows task installation script, a password-protected SFX archive with a Trojan-backdoor installer, an installer script (ps1), a COM object DLL (a loader), and the Trojan-backdoor itself.
Infection likely starts from local intranet websites with a piece of malicious code, but the hackers also use a shellcode, various wrappers, a Windows task installer (SFX archive), a Trojan-backdoor installer (SFX archive), and a BITS downloader to fetch files from the command and control (C&C) server.
During execution, the downloader checks whether it runs with SYSTEM privileges. It also fetches, decrypts, and launches the downloaded file, but only after verifying it.
The final payload in the infection process is a backdoor delivered in the form of a DLL file and which first decrypts a binary containing configuration data, including the C&C address, traffic encryption key, the UserAgent string, and other less important parameters.
To initialize the C&C connection, the payload sends a base64-encoded request with a unique SystemID, computer name, and hard disk serial number. To receive commands, the backdoor first sends empty requests to the C&C, to which the server responds with a PNG image containing hidden data — steganography is employed to hide information in the file.
Based on received commands, the backdoor can read any file from the system and send it to the C&C, drop or delete a file, drop a file and run it, run a command line and send execution results to the C&C, and update configuration parameters (except the AES encryption key).
The malware can also enter an interactive mode, where the attacker can receive input from console programs and send the output to the C&C.
Titanium’s complicated infiltration scheme, along with the use of encryption and fileless technologies, and the mimicking of well-known software during the infection process, make detection of these attacks rather difficult.
“Regarding campaign activity, we have not detected any current activity related to the Titanium APT,” Kaspersky concludes.