Platinum APT, a stealthy group that actively invades systems in the Asia Pacific region has now found a new backdoor to operate. This new method, as called by Microsoft, Titanium is now capable of downloading malware that stays within the system hiding and gaining access to the victim’s device.
This Platinum group gained limelight in 2016 by abusing Microsoft’s hot patching method and later for exploiting Intel AMT’s Serial Over LAN capabilities.
What’s an APT?
Advanced Persistent Threat, is a group or an individual trying to gain unauthorized access into a network or a system and stay for an extended time. The intruder’s objective may not be to crash or lock for ransoms, but for stealing important information that could benefit him. Such activities are performed by businesses or even governments to monitor rivals plans.
As detailed by Securelist, Titanium uses a difficult method to sneak in and deliver the payload. It goes as:
- an exploit capable of executing code as a SYSTEM user
- a shellcode to download the next downloader
- a downloader to download an SFX archive that contains a Windows task installation script
- a password-protected SFX archive with a Trojan-backdoor installer.
- an installer script (ps1)
- a COM object DLL (a loader).
- the Trojan-backdoor itself
It uses all legitimate services like Windows Background Intelligent Transfer Service (BITS) and Windows API calls to communicate with concerned servers.
To conclude, Titanium’s purpose is to sequentially download, drop and install the payload, that gives the unauthorized group access to the system and performs activities.
The great thing of all, this new Trojan dumping backdoor is hidden from all the steps mentioned above. It masks itself as a legitimate software/tool like sound drivers, DVD maker or protection application. And this is what makes it unique from all previous APTs happened.