Kaspersky Lab informsthat the Platinum hack group, active in the Asia-Pacific region (APAC), again demonstrates activity and a new tool – a backdoor called Titanium (this password was used to encrypt one of the SFX archives detected during analysis).
Let me remind you that APT Platinum was discovered by Microsoft specialists in 2016. Then it was reported that the group has been active since at least 2009 and attacks mainly organizations in the countries of South and Southeast Asia.
Titanium is the final stage of infection in a multi-level scheme of installing a trojan on an attacked system. All stages are successfully hidden on the victim’s computer due to the fact that each of them pretends to be popular software (antivirus products, utilities from the distribution with sound drivers, programs for creating DVD-video).
As already mentioned, Titanium is a sequence of several stages of introducing malware onto the victim’s computer, where the end result of the attack is a trojan backdoor. In each case, the following set of malware is usually used to carry out an attack:
- exploit that allows executing malicious code with SYSTEM privileges;
- shellcode, which should download the next component of the infection scheme onto the attacked system;
- a bootloader that downloads a password-protected SFX archive from a command server. The archive contains the files necessary to add a task to the Windows task scheduler. Thanks to the created task, the malware is fixed in the system;
- password protected SFX archive containing the backdoor installer;
- backdoor installer script into the system (PowerShell);
- COM object DLL (backdoor loader);
- in fact, the Trojan backdoor itself (Titanium).
According to the researchers, Titanium uses local web resources to spread victims to computers. Another well-known method for the distribution of malvari is the use of shellcode, which is embedded in the memory of a process. In the campaign considered by analysts, the system process winlogon.exe was used, however, it is not known how the shellcode got to the victims' computers.
To communicate with the management server, the malware uses steganography. So, when generating a request to the managing server, the UserAgent parameter from the configuration and a special algorithm for generating a cookie string are used. Also, the malware can use the proxy system settings from Internet Explorer.
In response to this request, the command server sends a PNG file that contains the data hidden by steganography. This data is encrypted with the same key that is used in requests to the management server. The decrypted steganographic data contains commands for the backdoor and arguments to them.
As a result, the backdoor can take many different teams, we give only the most interesting of them:
- reading any file on the victim’s computer and sending it to the management server;
- downloading (or deleting) the file to the victim's computer;
- downloading and running the file;
- launching the command line and then sending the results to the management server;
- updating configuration parameters (except for the traffic encryption key);
- interactive mode. Allows you to receive data from an attacker to enter the console with sending the results to the server.
Thus, Titanium is a rather complex and multi-level scheme of components downloaded and installed on computers. This approach requires good coordination between each of the components. In addition, none of the components downloaded and installed on the file system can be defined as malicious, because Titanium authors use encryption for each file downloaded to disk in combination with file-free code execution techniques. Another key point is the use of directory names and file names of existing and popular software.