Pierluigi Paganini June 06, 2019

The Platinum cyber espionage group uses steganographic technique to hide communications with the Command and Control Servers  (C&C).

Experts from Kaspersky have linked the Platinum APT group with cyber attacks involving an elaborate, and new steganographic technique used to hide communications with C2 servers.

The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.

In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,

The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012.

“In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels.” reads the analysis published by the expert. “The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.”

The attack chain starts with WMI subscriptions to run an initial PowerShell downloader and fetch another small PowerShell backdoor for system fingerprinting and downloading additional code. 

The initial WMI PowerShell scripts observed in different attacks were using different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption and different active hours.

Threat actor located the C&C addresses on free hosting services, they used a large number of Dropbox accounts for storing the malicious code and store exfiltrated data.

Kaspersky spotted a backdoor while investigating another threat, further analysis allowed its experts to discover that it was a second stage malware used in one of the Platinum campaigns.

“We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc.” continues Kaspersky.

The researchers discovered that in the two attacks, it was used the same domain to store exfiltrated data. The analysis of the encrypted files used in the second stage revealed a previously undiscovered backdoor associated with the Platinum group. 

Hackers used a dropper to install the steganography backdoor, the malicious code creates directories for the backdoor and saves backdoor-related files in these folders. Then the dropper runs the backdoor, implements a persistence mechanism, and then removes itself. 

Once the backdoor is installed on a target machine, it will connect to C&C server and downloads an HTML page that contains embedded commands that are encrypted with a key that is also embedded into the page.

“The page contains embedded commands that are encrypted with an encryption key, also embedded into the page. The embedded data is encoded with two steganography techniques and placed inside the <–1234567890> tag (see below). ” continues the analysis.

One of the steganography techniques used by the threat actors is based on the principle that HTML is indifferent to the order of tag attributes. The malicious code is able to decode line by line and collects an encryption key for the encoded data that are embedded in the page right after the HTML tags. Data are encoded with a second steganography technique.

The backdoor supports several commands, it could upload, download and execute files, handle requests for lists of processes and directories, upgrade and uninstall itself, and change the configuration file. 

The analysis also revealed another tool used as a configuration manager that allows creating configuration and command files for the backdoors. The utility is able to configure more than 150 options.

Experts also discovered a P2P backdoor that has many similarities with the previous one, it uses the same command names and the same names of options in the configuration files. 

“However, there are significant differences, too. The new backdoor actively uses many more of the options from the config, supports more commands, is capable of interacting with other infected victims and connecting them into a network (see the “Commands” section for details), and works with the C&C server in a different way. In addition, this backdoor actively uses logging: we found a log file dating back to 2012 on one victim PC.” continues the analysis.

The backdoor is able to sniff network traffic without keeping any socket in listening mode, it creates a listening socket every time someone attempts to connect.

According to the experts, the backdoor might have been active since at least 2012. 

“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier.” concludes Kaspersky. ” Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active. “

Pierluigi Paganini

(SecurityAffairs – PLATINUM APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]