Platinum APT, a stealthy group that actively invades systems in the Asia Pacific region has now found a new backdoor to operate. This new method, as called by Microsoft, Titanium is now capable of downloading malware that stays within the system hiding and gaining access to the victimโs device.
This Platinum group gained limelight in 2016 by abusing Microsoftโs hot patching method and later for exploiting Intel AMTโs Serial Over LAN capabilities.
Whatโs an APT?
Advanced Persistent Threat, is a group or an individual trying to gain unauthorized access into a network or a system and stay for an extended time. The intruderโs objective may not be to crash or lock for ransoms, but for stealing important information that could benefit him. Such activities are performed by businesses or even governments to monitor rivals plans.
Modus Operandi
As detailed by Securelist, Titanium uses a difficult method to sneak in and deliver the payload. It goes as:
- an exploit capable of executing code as a SYSTEM user
- a shellcode to download the next downloader
- a downloader to download an SFX archive that contains a Windows task installation script
- a password-protected SFX archive with a Trojan-backdoor installer.
- an installer script (ps1)
- a COM object DLL (a loader).
- the Trojan-backdoor itself
It uses all legitimate services like Windows Background Intelligent Transfer Service (BITS) and Windows API calls to communicate with concerned servers.
To conclude, Titaniumโs purpose is to sequentially download, drop and install the payload, that gives the unauthorized group access to the system and performs activities.
The great thing of all, this new Trojan dumping backdoor is hidden from all the steps mentioned above. It masks itself as a legitimate software/tool like sound drivers, DVD maker or protection application. And this is what makes it unique from all previous APTs happened.