One of the most stealthy and high-tech APT groups in the world, Platinum, is now back to infecting systems. After they were detected misusing Microsoft vulnerabilities in 2016, Platinum APT had been maintaining a low profile. But not anymore, this time they are back with a more clandestine backdoor malware, called Titanium.
The main target of this backdoor attack has been South and Southeast Asia which is also the group’s primary focus.
Titanium is a backdoor that is being installed after a series of download and installation stages and hides like a pro by deceiving as legible harmless software.
Why is it hard to detect?
- Intricate process with many steps
- Encrypted files
- Fileless malware
- Deceives as security software, video making software and other common software
How is it spreading?
Local intranet sites that contain bad code.
Vectors of infection include a shellcode, a Windows task installer, COM DLLs, BITS downloader and a Trojan Backdoor installer.
Examples of spread
The shellcode for example, is injected in a process like winlogon.exe. The code works independently of libraries and fetches an encrypted payload from the Command and Control server to launch it later. Here is the command line:
“rundll32 “$temp\IOZwXLeM023.tmp”,GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw”
The trojan backdoor, for example, drops the malicious files into a fake DVD folder. BabyBoyStyleBackground.wmv, DvDupdate.dll, nav_downarrow.png and psinstrc.ps1 are all trojan backdoors or loaders or installation scripts.
Connecting back to Platinum
The C&C server sends commands and receives responses from the infected system. To kick-start the connection, the downloaded payload sends a base64-encoded request with some details about the target system so that Titanium can start receiving encrypted commands that it can decrypt later to act upon them. The commands are in the form of PNG file that has steganographic (concealed) data.
What can the Titanium do
The bad news is that once a system is infected with the backdoor, it is at risk of:
- Command line execution
- Files being read and transferred to attacker
- Deletion of files
- Download and execution of a new file
- Upgrading configuration parameters
- Interact with the target console program
Up until now, there has been no activity detected that is linked to Titanium but who knows what the coming days hold. Keep an eye out on our News section to stay updated about this issue.
You can receive everyday news straight to your inbox by subscribing to our online newspaper. Comment in the below section if you have something to add to or say about this sophisticated, sneaky malware.
Stay tuned, stay safe.