The advanced persistent threat (APT) group tracked by security researchers as Platinum and TwoForOne has developed a new backdoor malware designed to infiltrate and take control of Windows systems. The new backdoor dubbed Titanium (after a password to one of the self-executable archives) hides in plain sight by camouflaging as security solutions, sound drivers, or software commonly used to create DVDs, Kaspersky Lab revealed.
The malware was discovered during investigation of recent Platinum’s attacks targeting organizations in South and Southeast Asia (Malaysia, Indonesia, and Vietnam). The hacking group, which has been active since at least 2009, is considered to be one of the most advanced APT’s and mostly focuses on governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in APAC region.
The Titanium malware is deployed by the Platinum team as a final payload in the long chain of infection that uses several clever tricks to stay hidden from antivirus solutions. Those methods include encryption, mimicking of common device drivers and software, memory-only infections, and a series of droppers that execute the malicious code.
During recent attacks the Platinum group has employed multiple artifacts, in each case the following specific distribution sequence has been used:
an exploit capable of executing code as a SYSTEM user
a shellcode to download the next downloader
a downloader to download an SFX archive that contains a Windows task installation script
a password-protected SFX archive with a Trojan-backdoor installer
an installer script (ps1)
a COM object DLL (a loader)
the Trojan-backdoor itself
The backdoor can download and run additional files, drop and delete any file in a file system, transfer files to the command and control server, run commands, update configuration parameters (except the AES encryption key), and also allows attackers to receive input from console programs and send their output at the C&C.
To initialize the connection to the C&C, the malware sends a base64-encoded request with a unique SystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands. The backdoor also uses an interesting C&C communications mechanism: it sends an empty request prepared using UserAgent string from the configuration and a special cookie generation algorithm. In response, the malware receives PNG files with steganographically hidden commands and arguments for them.
The researchers believe that the Platinum group infiltrates the organization via an already compromised local intranet, from there it begins the lateral movement across the victim’s network.
“The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software,” Kaspersky researchers said.