Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Platinum Hackers Use Steganography to Mask C&C Communications

Hackers Use Steganographic Technique to Hide Communications With Command and Control Servers 

Hackers Use Steganographic Technique to Hide Communications With Command and Control Servers 

Attacks recently attributed to the “Platinum” cyber espionage group have employed an elaborate, previously unseen steganographic technique, researchers from Kaspersky say. 

The attacks were observed in June 2018 targeting diplomatic, government and military entities in South and Southeast Asian countries, but the campaign may have started as far back as 2012. Featuring a multi-stage approach, the campaign was dubbed EasternRoppels

The attack started with WMI subscriptions to run an initial PowerShell downloader and fetch a small PowerShell backdoor for system fingerprinting and downloading additional code. 

Various WMI PowerShell scripts employed in the campaign used different command and control (C&C) IP addresses, encryption keys, salt for encryption and active hours. The C&C addresses, the researchers discovered, were located on free hosting services, and the attackers were also heavily reliant on Dropbox accounts for storing the payload and exfiltrated data.

While investigating another threat, the researchers discovered a backdoor they believe to be the second stage of the Platinum campaign. Implemented as a DLL and working as a WinSock NSP (Nameservice Provider) for persistence, the threat has the same characteristics as the PowerShell backdoor detailed above, but uses steganography to hide communications with the C&C. 

Further analysis revealed the use of the same domain to store exfiltrated data and common victims for both backdoors. The investigation into the encrypted files in the second stage also revealed a previously undiscovered backdoor related to the Platinum group. 

A dedicated dropper is used to install the steganography backdoor. The malware creates directories and saves backdoor-related files (the backdoor itself and its configuration file) in these. Next, it runs the backdoor, ensures persistence, and then removes itself. 

Once installed, the backdoor connects to C&C server and downloads an HTML page that contains embedded commands encrypted with an encryption key that is also embedded into the page. 

“The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag,” Kaspersky explains. 

“The first steganography technique is based on the principle that HTML is indifferent to the order of tag attributes. […] The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too, but using a second steganography technique,” the researchers continue. 

The backdoor supports commands for uploading, downloading and executing files, can handle requests for lists of processes and directories, upgrade and uninstall itself, and make changes to its configuration file. 

The security researchers also discovered an executable designed to create configuration and command files for the backdoors, which includes support for configuring more than 150 options.

The investigation also revealed the use of a P2P backdoor that shared many of the features with the previous one, including the same command names and identical names of options in the configuration files, which are also protected the same way, or the use of paths to the backdoor files similar to legitimate ones. 

Differences between the two malware families include the use of many new options from the config in the second backdoor, which also supports more commands, and can interact with other infected victims and connect them into a network. Furthermore, the malware works with the C&C server in a different way. 

The backdoor, which actively uses logging, might have been in use since at least 2012, a log found on one victim PC suggests. 

The malware can sniff network traffic without keeping any socket in listening mode, but only creating a listening socket when it knows that someone is trying to connect.

In addition to the commands supported in the steganography backdoor, the malware can leverage the Windows index service to search files for keywords provided by the attacker. Moreover, it can ensnare the infected systems into a P2P network, which allows the attackers to access victims that lack Internet access but are on the same network with those that are connected to the Web. 

“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier. […] based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active,” Kaspersky concludes. 

Related: “Platinum” Cyberspies Abuse Intel AMT to Evade Detection

Related: “Platinum” Cyberspies Abuse Hotpatching in Asia Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...