Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Platinum Cyberspies Use Sophisticated Backdoor in Attacks

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

Active for at least a decade but only detailed in 2016, Platinum is a cyber-espionage group mainly focused on the Asia-Pacific region. The hackers are known for the targeting of government organizations, intelligence agencies, defense institutes and ISPs.

Recently, Kaspersky’s security researchers discovered Titanium, a new Platinum-related backdoor that uses a sophisticated multi-stage execution approach, where each step masquerades as common software, including sound driver, protection-related, or DVD video creation software.

The attackers targeted victims in South and Southeast Asia, in line with previous campaigns associated with the group.

The default distribution includes an exploit to execute code as SYSTEM, a shellcode to download the next downloader, a dropper to fetch an SFX archive containing a Windows task installation script, a password-protected SFX archive with a Trojan-backdoor installer, an installer script (ps1), a COM object DLL (a loader), and the Trojan-backdoor itself.

Infection likely starts from local intranet websites with a piece of malicious code, but the hackers also use a shellcode, various wrappers, a Windows task installer (SFX archive), a Trojan-backdoor installer (SFX archive), and a BITS downloader to fetch files from the command and control (C&C) server.

During execution, the downloader checks whether it runs with SYSTEM privileges. It also fetches, decrypts, and launches the downloaded file, but only after verifying it.

The final payload in the infection process is a backdoor delivered in the form of a DLL file and which first decrypts a binary containing configuration data, including the C&C address, traffic encryption key, the UserAgent string, and other less important parameters.

Advertisement. Scroll to continue reading.

To initialize the C&C connection, the payload sends a base64-encoded request with a unique SystemID, computer name, and hard disk serial number. To receive commands, the backdoor first sends empty requests to the C&C, to which the server responds with a PNG image containing hidden data — steganography is employed to hide information in the file.

Based on received commands, the backdoor can read any file from the system and send it to the C&C, drop or delete a file, drop a file and run it, run a command line and send execution results to the C&C, and update configuration parameters (except the AES encryption key).

The malware can also enter an interactive mode, where the attacker can receive input from console programs and send the output to the C&C.

Titanium’s complicated infiltration scheme, along with the use of encryption and fileless technologies, and the mimicking of well-known software during the infection process, make detection of these attacks rather difficult.

“Regarding campaign activity, we have not detected any current activity related to the Titanium APT,” Kaspersky concludes.

Related: Platinum Hackers Use Steganography to Mask C&C Communications

Related: “Platinum” Cyberspies Abuse Intel AMT to Evade Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.