Pierluigi Paganini November 09, 2019

Kaspersky researchers have found a new advanced backdoor used by the Platinum advanced persistent threat (APT) group in attacks in the wild.

Security experts at Kaspersky Lab have spotted a new backdoor, tracked as Titanium, that was used by the Platinum APT group in attacks in the wild, the malicious code implements sophisticated evasion techniques.

The APT group was discovered by Microsoft in 2016, it targeted organizations in South and Southeast. According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.

The hackers don’t appear to be financially motivated due to the nature of targeted entities and TTPs of the group.

In June 2018, experts at Kaspersky were investigating attacks against government and military entities in South and Southeast Asian countries,

The experts tracked the campaign as EasternRoppels, they speculate it may have started as far back as 2012. In June, the Platinum APT group was observed using steganographic techniques to hide communications with the Command and Control Servers  (C&C).

Platinum is considered one of the most advanced APT groups with a traditional focus on the APAC region. Its new Titanium backdoor attempt to hide at every stage by mimicking common software.

“During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages.” reads the analysis publisjed by Kaspersky. “The malware hides at every step by mimicking common software (protection related, sound software, DVD video creation tools).”

Most of the infections associated with the new backdoor were located in South and Southeast Asia.

Experts pointed out that the default attack chain leverage an exploit capable of executing code as a SYSTEM user, a shellcode to download the next.stage downloader, a downloader to download an SFX archive that contains a Windows task installation script, a password-protected SFX archive with a Trojan-backdoor installer, an installer script (ps1), a COM object DLL (a loader), and the Titanium backdoor itself as last-stage malware.

Each example found involved the use of an exploit for executing code as a system-level user and shellcode to download an additional downloader. Platinum targets winlogon.exe but Kaspersky does not know how the injection occurs. 

Kaspersky experts speculated that the Titanium backdoor is delivered through local intranet websites that have been compromised or using a shellcode that needs to be injected into a process. In this case former case, the shellcode is injected in the winlogon.exe, but the injection mechanism is still unclear.

The backdoor deploys an SFX archive containing a Windows task installation script. A password-protected, encrypted archive is downloaded via BITS Downloader, it is used by the malicious code to install a Windows task to allows the backdoor to gain persistence. 

According to Kaspersky, the attack chain also includes the use of an SFX archive which must be launched from the command line using a password to unpack it.

The backdoor’s paths all masquerade as a common software installer, including software for the DVD creation or audio drivers. 

“BITS Downloader – This component is used to download encrypted files from the C&C server then decrypt and launch them.” continues the analysis.

To initialize the connection to the C&C, the malicious code sends a base64-encoded request that includes a unique SystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands.

The backdoor takes the UserAgent string from the configuration and uses a special cookie generation algorithm to prepare a request. In turn, the C&C sends back a PNG file that contains steganographically hidden data. This C2 encrypts data with the same key as the C&C requests. The data includes the commands for the backdoor and related arguments.

The malware can also get proxy settings from Internet Explorer.

The backdoor supports many commands, including:

• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows to the attacker to receive input from console programs and send their output at the C&C

“The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.” concludes Kaspersky.

“Regarding campaign activity, we have not detected any current activity related to the Titanium APT.“

Pierluigi Paganini

(SecurityAffairs – Platinum APT, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]