Security Experts:

Connect with us

Hi, what are you looking for?



Platinum Cyberspies Use Sophisticated Backdoor in Attacks

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

A newly discovered backdoor associated with the advanced persistent threat (APT) actor Platinum has a long sequence of dropping, downloading and installing stages, Kaspersky reveals.

Active for at least a decade but only detailed in 2016, Platinum is a cyber-espionage group mainly focused on the Asia-Pacific region. The hackers are known for the targeting of government organizations, intelligence agencies, defense institutes and ISPs.

Recently, Kaspersky’s security researchers discovered Titanium, a new Platinum-related backdoor that uses a sophisticated multi-stage execution approach, where each step masquerades as common software, including sound driver, protection-related, or DVD video creation software.

The attackers targeted victims in South and Southeast Asia, in line with previous campaigns associated with the group.

The default distribution includes an exploit to execute code as SYSTEM, a shellcode to download the next downloader, a dropper to fetch an SFX archive containing a Windows task installation script, a password-protected SFX archive with a Trojan-backdoor installer, an installer script (ps1), a COM object DLL (a loader), and the Trojan-backdoor itself.

Infection likely starts from local intranet websites with a piece of malicious code, but the hackers also use a shellcode, various wrappers, a Windows task installer (SFX archive), a Trojan-backdoor installer (SFX archive), and a BITS downloader to fetch files from the command and control (C&C) server.

During execution, the downloader checks whether it runs with SYSTEM privileges. It also fetches, decrypts, and launches the downloaded file, but only after verifying it.

The final payload in the infection process is a backdoor delivered in the form of a DLL file and which first decrypts a binary containing configuration data, including the C&C address, traffic encryption key, the UserAgent string, and other less important parameters.

To initialize the C&C connection, the payload sends a base64-encoded request with a unique SystemID, computer name, and hard disk serial number. To receive commands, the backdoor first sends empty requests to the C&C, to which the server responds with a PNG image containing hidden data — steganography is employed to hide information in the file.

Based on received commands, the backdoor can read any file from the system and send it to the C&C, drop or delete a file, drop a file and run it, run a command line and send execution results to the C&C, and update configuration parameters (except the AES encryption key).

The malware can also enter an interactive mode, where the attacker can receive input from console programs and send the output to the C&C.

Titanium’s complicated infiltration scheme, along with the use of encryption and fileless technologies, and the mimicking of well-known software during the infection process, make detection of these attacks rather difficult.

“Regarding campaign activity, we have not detected any current activity related to the Titanium APT,” Kaspersky concludes.

Related: Platinum Hackers Use Steganography to Mask C&C Communications

Related: “Platinum” Cyberspies Abuse Intel AMT to Evade Detection

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack