Delaware, USA – November 8, 2019 – Active for ten years, the stealthy APT group has launched a new campaign targeted at government organizations in South and Southeast Asia. The Platinum group skillfully disguises the malware installation process abusing legitimate tools and hiding malicious files in password-protected archives. The campaign was revealed by Kaspersky Lab, who noted that Platinum APT uses a complicated infiltration scheme involving multiple steps and requiring good coordination between all of them. Researchers believe that cybercriminals infiltrate the organization through a compromised local intranet website, from where they begin the lateral movement across an organization’s network. Attackers inject shellcode into legitimate Windows processes to download and unpack password protected SFX archives. BITS Downloader is also used for this purpose, its primary target is to install the Windows task establishing persistence in the attacked system. The titanium backdoor is stored in the SFX archive requiring a password during unpacking and launched from the command line. The backdoor can download and run additional files, transfer files to the command and control server, run commands, and it allows attackers to receive input from console programs.
The C&C communications mechanism is also interesting: the backdoor sends an empty request prepared using UserAgent string from the configuration and a special cookie generation algorithm. In response, the malware receives PNG files with steganographically hidden commands and arguments for them. The Platinum group in this campaign does not use files that antivirus solutions can mark as malicious. You can learn the techniques used by the group and find the rules for their detection in the MITRE ATT&CK section on Threat Detection Marketplace: https://tdm.socprime.com/att-ck/