Cybercriminal gang Platinum developed a new backdoor dubbed Titanium for campaigns in South and Southeast Asia
According to cybersecurity researchers at Kaspersky, a new malware campaign that targets South and Southeast Asia is on the way.[1] Developed by advanced persistent threat (APT) group Platinum, the backdoor Titanium uses stealthy techniques for propagation, as it mimics the step-by-step process of standard software installation on the system, such as anti-malware, drivers, video creation, or other.
Titanium, which was named after one of the self-executable archives, is a backdoor malware that is delivered as a final payload due to the multi-stage infection process, one of which includes the usage of steganographically[2] hidden data. The sophisticated infection process also helps malware to avoid detection by even the most advanced cybersecurity solutions.
The new backdoor Platinum is targeting victims in Malaysia, Indonesia, and Vietnam, located in South and Southeast Asia.
Platinum – a high profile group that targets various sectors in the APAC region
Platinum cyberthreat group is well known in the cybercriminal world, as it began its activities back in 2009, although Microsoft researchers claim that it might have been active for several years prior.[3]
The malicious actors are known to be aiming at high-profile targets in the military, government, and political sectors in the Asia-Pacific (APAC) region. Nevertheless, in some cases, criminals change the activity based on other factors, as claims Microsoft in its detailed article published in 2016:[4]
A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world.
In recent years, the threat actor group is known to be using sophisticated infiltration techniques for its malware, such as steganography, fileless infection, zero-day exploits, and spear-phishing attacks.[5]
Complicated infection techniques warrant multi-purpose functionality of Titanium Trojan
While Kaspersky researchers do not know what the main vector of the initial infection is, they believe that it starts on websites with embedded obfuscated code.
The first infection stage begins with an exploit that can gain the privileges of the system user on the host machine. Consequently, it allows malware to connect to the hardcoded Command and Control server, which automatically downloads the next payload.
The next downloader is a self-extracting DLL file that uses URL executable code – this file also uses as SFX archive, which is protected by password “Titanium” (the reason Kaspersky gave this Trojan backdoor the name). The main goal of the downloader is to install a new task that would increase the persistence of the host system. As a final payload, the Titanium backdoor is downloaded.
Once the malware is established, it also sends out a base64-encoded request – it consists of relevant information that would help to identify the infected system, such as System ID, computer name, and the serial number of the hard disk. For communication between the host machine and the Command and Control server, Titanium sends an empty request and receives a PNG image with embedded steganographic code, which is also encrypted.
As a final stage of its operations, Titanium is set to do multiple different things, such as dropping/running the file, deleting a file, read a file and send it to Command and Control server, execute code, update configuration settings, and much more. Kaspersky said that detection of such infection vector can be exceptionally hard to AV solutions:
The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.