Platinum returns with a highly secretive backdoor called Titanium
Platinum returns with a highly secretive backdoor called Titanium

One of the most stealthy and high-tech APT groups in the world, Platinum, is now back to infecting systems. After they were detected misusing Microsoft vulnerabilities in 2016, Platinum APT had been maintaining a low profile. But not anymore, this time they are back with a more clandestine backdoor malware, called Titanium.

The main target of this backdoor attack has been South and Southeast Asia which is also the group’s primary focus.

main target of backdoor attack
Source: Kaspersky

About Titanium

Titanium is a backdoor that is being installed after a series of download and installation stages and hides like a pro by deceiving as legible harmless software.

Why is it hard to detect?

  • Intricate process with many steps
  • Encrypted files
  • Fileless malware
  • Deceives as security software, video making software and other common software
Hiding in a fake DVD video folder
Hiding in a fake DVD video folder

How is it spreading?
Local intranet sites that contain bad code.
Vectors of infection include a shellcode, a Windows task installer, COM DLLs, BITS downloader and a Trojan Backdoor installer.

Examples of spread

The shellcode for example, is injected in a process like winlogon.exe. The code works independently of libraries and fetches an encrypted payload from the Command and Control server to launch it later. Here is the command line:
“rundll32 “$temp\IOZwXLeM023.tmp”,GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw”

The trojan backdoor, for example, drops the malicious files into a fake DVD folder. BabyBoyStyleBackground.wmv, DvDupdate.dll, nav_downarrow.png and psinstrc.ps1 are all trojan backdoors or loaders or installation scripts.

Connecting back to Platinum

The C&C server sends commands and receives responses from the infected system. To kick-start the connection, the downloaded payload sends a base64-encoded request with some details about the target system so that Titanium can start receiving encrypted commands that it can decrypt later to act upon them. The commands are in the form of PNG file that has steganographic (concealed) data.

Connecting back to Platinum
Steganographic PNG image examples

What can the Titanium do

The bad news is that once a system is infected with the backdoor, it is at risk of:

  • Command line execution
  • Files being read and transferred to attacker
  • Deletion of files
  • Download and execution of a new file
  • Upgrading configuration parameters
  • Interact with the target console program

Up until now, there has been no activity detected that is linked to Titanium but who knows what the coming days hold. Keep an eye out on our News section to stay updated about this issue.

You can receive everyday news straight to your inbox by subscribing to our online newspaper. Comment in the below section if you have something to add to or say about this sophisticated, sneaky malware.

Stay tuned, stay safe.


Leave a reply

Your email address will not be published. Required fields are marked *


©2021 Tech Brewery. All Rights Reserved.

Log in with your credentials


Forgot your details?

Create Account