Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Platinum Cyberspies Use Sophisticated Backdoor in Attacks

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

Active for at least a decade but only detailed in 2016, Platinum is a cyber-espionage group mainly focused on the Asia-Pacific region. The hackers are known for the targeting of government organizations, intelligence agencies, defense institutes and ISPs.

Recently, Kaspersky’s security researchers discovered Titanium, a new Platinum-related backdoor that uses a sophisticated multi-stage execution approach, where each step masquerades as common software, including sound driver, protection-related, or DVD video creation software.

The attackers targeted victims in South and Southeast Asia, in line with previous campaigns associated with the group.

The default distribution includes an exploit to execute code as SYSTEM, a shellcode to download the next downloader, a dropper to fetch an SFX archive containing a Windows task installation script, a password-protected SFX archive with a Trojan-backdoor installer, an installer script (ps1), a COM object DLL (a loader), and the Trojan-backdoor itself.

Infection likely starts from local intranet websites with a piece of malicious code, but the hackers also use a shellcode, various wrappers, a Windows task installer (SFX archive), a Trojan-backdoor installer (SFX archive), and a BITS downloader to fetch files from the command and control (C&C) server.

During execution, the downloader checks whether it runs with SYSTEM privileges. It also fetches, decrypts, and launches the downloaded file, but only after verifying it.

The final payload in the infection process is a backdoor delivered in the form of a DLL file and which first decrypts a binary containing configuration data, including the C&C address, traffic encryption key, the UserAgent string, and other less important parameters.

Advertisement. Scroll to continue reading.

To initialize the C&C connection, the payload sends a base64-encoded request with a unique SystemID, computer name, and hard disk serial number. To receive commands, the backdoor first sends empty requests to the C&C, to which the server responds with a PNG image containing hidden data — steganography is employed to hide information in the file.

Based on received commands, the backdoor can read any file from the system and send it to the C&C, drop or delete a file, drop a file and run it, run a command line and send execution results to the C&C, and update configuration parameters (except the AES encryption key).

The malware can also enter an interactive mode, where the attacker can receive input from console programs and send the output to the C&C.

Titanium’s complicated infiltration scheme, along with the use of encryption and fileless technologies, and the mimicking of well-known software during the infection process, make detection of these attacks rather difficult.

“Regarding campaign activity, we have not detected any current activity related to the Titanium APT,” Kaspersky concludes.

Related: Platinum Hackers Use Steganography to Mask C&C Communications

Related: “Platinum” Cyberspies Abuse Intel AMT to Evade Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.