Hackers Use Steganographic Technique to Hide Communications With Command and Control Servers
The attacks were observed in June 2018 targeting diplomatic, government and military entities in South and Southeast Asian countries, but the campaign may have started as far back as 2012. Featuring a multi-stage approach, the campaign was dubbed EasternRoppels.
The attack started with WMI subscriptions to run an initial PowerShell downloader and fetch a small PowerShell backdoor for system fingerprinting and downloading additional code.
Various WMI PowerShell scripts employed in the campaign used different command and control (C&C) IP addresses, encryption keys, salt for encryption and active hours. The C&C addresses, the researchers discovered, were located on free hosting services, and the attackers were also heavily reliant on Dropbox accounts for storing the payload and exfiltrated data.
While investigating another threat, the researchers discovered a backdoor they believe to be the second stage of the Platinum campaign. Implemented as a DLL and working as a WinSock NSP (Nameservice Provider) for persistence, the threat has the same characteristics as the PowerShell backdoor detailed above, but uses steganography to hide communications with the C&C.
Further analysis revealed the use of the same domain to store exfiltrated data and common victims for both backdoors. The investigation into the encrypted files in the second stage also revealed a previously undiscovered backdoor related to the Platinum group.
A dedicated dropper is used to install the steganography backdoor. The malware creates directories and saves backdoor-related files (the backdoor itself and its configuration file) in these. Next, it runs the backdoor, ensures persistence, and then removes itself.
Once installed, the backdoor connects to C&C server and downloads an HTML page that contains embedded commands encrypted with an encryption key that is also embedded into the page.
“The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag,” Kaspersky explains.
“The first steganography technique is based on the principle that HTML is indifferent to the order of tag attributes. […] The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too, but using a second steganography technique,” the researchers continue.
The backdoor supports commands for uploading, downloading and executing files, can handle requests for lists of processes and directories, upgrade and uninstall itself, and make changes to its configuration file.
The security researchers also discovered an executable designed to create configuration and command files for the backdoors, which includes support for configuring more than 150 options.
The investigation also revealed the use of a P2P backdoor that shared many of the features with the previous one, including the same command names and identical names of options in the configuration files, which are also protected the same way, or the use of paths to the backdoor files similar to legitimate ones.
Differences between the two malware families include the use of many new options from the config in the second backdoor, which also supports more commands, and can interact with other infected victims and connect them into a network. Furthermore, the malware works with the C&C server in a different way.
The backdoor, which actively uses logging, might have been in use since at least 2012, a log found on one victim PC suggests.
The malware can sniff network traffic without keeping any socket in listening mode, but only creating a listening socket when it knows that someone is trying to connect.
In addition to the commands supported in the steganography backdoor, the malware can leverage the Windows index service to search files for keywords provided by the attacker. Moreover, it can ensnare the infected systems into a P2P network, which allows the attackers to access victims that lack Internet access but are on the same network with those that are connected to the Web.
“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier. […] based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active,” Kaspersky concludes.