A newly discovered backdoor connected with Platinum, an advanced persistent threat (APT), has a long sequence of phases, reveals Kaspersky.
Platinum is a cyberespionage organization that has been active for at least a decade, but only described in 2016. The hackers are known to threaten public agencies, intelligence agencies, security organizations and ISPs.
Security researchers from Kaspersky recently discovered Titanium, a new platinum-like backdoor with an advanced multi-stage execution method which masks each move as popular software including a sound driver, protective or DVD development code.
In line with the previous team campaigns, the attackers attacked victims in South and South-East Asia.
The standard delivery contains an execution of the code like SYSTEM, a shellcode to access the next downloader, a dripper for fetching an SFX archive with a script for the Windows installation process, a SPX archive with a Trojan backdoor installer, an installer script (ps1).
Infection probably starts with a malicious piece of code on the local intranet pages, but hackers also use shellcodes, various wrappers; a Windows project installer, a trojan-backdoor installer, and a BITS downloader to access command and control files (C&C) servers.
The downloader checks during execution whether it operates with SYSTEM privileges. The downloaded file is also fetched, decrypted and started, but only after confirmation.
In the infection process, the final payload is a DLL format backdoor that first decrypts binary data, which includes the C&C code, traffic encryption key, UserAgent string and other less relevant parameters.
The payload sends a base64-encoded request with a specific SystemID, device name and hard disk serial number to initialize the C&C link. The backdoor first sends empty demands to the C&C for receiving commands, to which the server responds with a PNG image containing secret data— a steganograph is used to hide information from the file.
The backdoor can read any file from the process, send it to C&C, add or delete a file, drop a file and run it, run a command line, send C&C execution results, and change configuration parameters (with the exception of a AES encryption key).
The malware also can enter an interactive mode in which the attacker can accept console programs feedback and send the output to the C&C.
The complex Titanium penetration scheme along with the use of authentication and file-free technology and the replication of well known code during an infection render it quite difficult to detect such attacks.
“We have not observed any current activities linked to Titanium APT as far as project activity is concerned,” concludes Kaspersky.