APT threat group Platinum has a shiny new plaything: A custom trojan backdoor dubbed Titanium.
The backdoor’s name, aside from keeping with the silvery metal theme, comes from password to one of the self-executable archives found in the code. According to Kaspersky researchers who analyzed the malware, it can, among other things, read any file from a file system and exfiltrate the data; drop or delete a file in the file system; drop a file and run it; run a command line and upload the execution results; and update configuration parameters (except the AES encryption key). It also features an interactive mode which allows to the attacker to receive input from console programs.
Titanium was spotted as the final payload in a campaign that also included dropper placement, additional downloading and installing stages in its infection vector, the researchers said. Interestingly, the malware hides along the way during each of these steps by mimicking file names for common software, including security packages, sound drivers and DVD video-creation tools.
Platinum is one of the most technologically advanced APT actors out there, with a traditional focus on the APAC region, the researchers said, and this campaign bore that out: Victims were located in South and Southeast Asia.
A Multi-Stage Affair
The complex sequence of stages in all of the observed attacks so far starts with an exploit capable of gaining code-execution as a SYSTEM user, after which the adversaries install a shellcode to connect to a hardcoded command-and-control (C2) address to download the next downloader, researchers said.
According to the analysis, released on Friday, that second downloader in turn fetches an SFX (self-extracting) archive that contains a Windows task installation script, in the form of cURL executable code, compiled into a DLL. Its purpose is to install a Windows task to establish persistence in the infected system.
The downloader also fetches a password-protected SFX archive (password: Titanium) that must be launched from the command line; an installer script; and a BITS downloader, used to download encrypted files from the C2 server then decrypt and launch them.
And finally, it downloads the Titanium backdoor itself.
The whole, multi-stage code is obfuscated with different Windows API calls and loops in an attempt to bypass antivirus emulation engines, Kaspersky noted.
Once Titanium was installed in the observed campaign, Kaspersky researchers said that it appeared that the group compromised local intranet websites with a malicious code to start spreading; or, it injected a shellcode into the “winlogon.exe” process.
Digging into Titanium
To initialize the connection to the C2, Titanium sends a base64-encoded request that contains the unique SystemID, computer name and hard disk serial number of the infected machine. After that, the malware is ready to swing into action.
“To receive commands, the backdoor sends an empty request to the C2,” according to the analysis. “It uses the UserAgent string from the configuration stage and a special cookie generation algorithm to prepare a request. The malware can also get proxy settings from Internet Explorer.”
In response to this request, the C2 answers back with a .PNG image file that contains steganographically hidden data, encrypted with the same key as the C2 requests. The decrypted data contains the backdoor commands, ordering it to carry out its many functions.
“The Titanium [campaign] has a very complicated infiltration scheme,” Kaspersky researchers said. “It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious, due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.”
What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.