Platinum APT’s new Titanium backdoor mimics popular PC software to stay hidden

Platinum APT’s new Titanium backdoor mimics popular PC software to stay hidden 1

The Platinum advanced persistent threat (APT) cyberattack group has developed a new backdoor with interesting concealment techniques. 

Platinum has been tracked since 2012 and generally targets government, military, and political targets across the APAC region. 

In recent years, the hacking group has become linked to the use of novel attack techniques, such as the abuse of a now-deprecated Windows feature called hotpatching and fileless code deployment, as well as steganography to hide Powershell and exploit code in plain text. 

See also: Facebook enjoys rare court win over privacy breach, investor claims

A past backdoor connected to Platinum uses text steganography to hide command-and-control (C2) communication. Now, the APT appears to have added a new backdoor, dubbed Titanium, to its arsenal. 

Named after a password to one of its archives, Titanium “hides at every step by mimicking common software” including protection-related, sound driver software, and video creation tools, according to Kaspersky researchers. 

In attack chains tracked by the team, Platinum will deploy Titanium as the last stage of infection. 

CNET: Lasers can seemingly hack Alexa, Google Home and Siri

Each example found involved the use of an exploit for executing code as a system-level user and shellcode to download an additional downloader. Platinum targets winlogon.exe but Kaspersky does not know how the injection occurs. 

The deployment of an SFX archive containing a Windows task installation script is then underway. This password-protected, encrypted archive is downloaded via BITS Downloader, and its main task is to install a Windows task to maintain persistence. 

The attack chain will then involve the launch of a further archive containing an installer, a COM object DLL, and the Titanium backdoor itself. Titanium’s paths all masquerade as a common software installer, such as for DVD creation software or as an audio driver, and the backdoor will then seek a connection to its C2 once executed. 

To establish a connection with its C2, Titanium will send a base64-encoded request containing a system ID, computer name, and the hard disk’s serial number. 

TechRepublic: You’ve got malware: Malicious actors are waiting in your inbox

When pinging the C2 for commands, the malware will be answered with PNG files containing steganographically hidden data, containing directions for the malicious code. Commands may include reading system files, deleting content, dropping and executing files, running command line queries and sending the results to the C2, and update configuration requests. 

Kaspersky is unaware of any active campaigns, at present.

“The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies,” the researchers say. “One other feature that makes detection harder is the mimicking of well-known software.”

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 61,431.00
ethereum
Ethereum (ETH) $ 4,042.26
binance-coin
Binance Coin (BNB) $ 481.53
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.16
solana
Solana (SOL) $ 199.15
xrp
XRP (XRP) $ 1.10
polkadot
Polkadot (DOT) $ 43.97
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.247323
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 61,431.00
ethereumEthereum (ETH)
$ 4,042.26
tetherTether (USDT)
$ 1.00
bitcoin-cashBitcoin Cash (BCH)
$ 625.43
litecoinLitecoin (LTC)
$ 196.30
bitcoinBitcoin (BTC)
52.797,18
ethereumEthereum (ETH)
3.474,14
tetherTether (USDT)
0,859455
bitcoin-cashBitcoin Cash (BCH)
537,53
litecoinLitecoin (LTC)
168,71
bitcoinBitcoin (BTC)
44,508.91
ethereumEthereum (ETH)
2,928.76
tetherTether (USDT)
0.724535
bitcoin-cashBitcoin Cash (BCH)
453.15
litecoinLitecoin (LTC)
142.23

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021

Blockchain/Cryptocurrency Questions and Answers

ICo Presale
The Science Behind ICO Presales…
October 14, 2021
Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin61,402 0.12 % 0.28 % 0.66 %
Ethereum4,035.3 0.15 % 0.13 % 3.85 %
Binance Coin479.85 0.42 % 0.46 % 0.80 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Cardano2.160 0.37 % 0.11 % 2.77 %
Solana198.20 0.15 % 6.10 % 21.61 %
XRP1.090 0.26 % 1.41 % 4.91 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Dogecoin0.2469 0.16 % 3.35 % 5.04 %

bitcoin
Bitcoin (BTC) $ 61,431.00
ethereum
Ethereum (ETH) $ 4,042.26
binance-coin
Binance Coin (BNB) $ 481.53
tether
Tether (USDT) $ 1.00
cardano
Cardano (ADA) $ 2.16
solana
Solana (SOL) $ 199.15
xrp
XRP (XRP) $ 1.10
polkadot
Polkadot (DOT) $ 43.97
usd-coin
USD Coin (USDC) $ 1.00
dogecoin
Dogecoin (DOGE) $ 0.247323