Platinum APT, a stealthy group that actively invades systems in the Asia Pacific region has now found a new backdoor to operate. This new method, as called by Microsoft, Titanium is now capable of downloading malware that stays within the system hiding and gaining access to the victimโ€™s device.

This Platinum group gained limelight in 2016 by abusing Microsoftโ€™s hot patching method and later for exploiting Intel AMTโ€™s Serial Over LAN capabilities.

Whatโ€™s an APT?

Platinum APT Finds New Backdoor named Titanium. Sneaks Cleverly to Steal Info.
Image Source โ€“ https://www.axios.com/

Advanced Persistent Threat, is a group or an individual trying to gain unauthorized access into a network or a system and stay for an extended time. The intruderโ€™s objective may not be to crash or lock for ransoms, but for stealing important information that could benefit him. Such activities are performed by businesses or even governments to monitor rivals plans.

Modus Operandi

As detailed by Securelist, Titanium uses a difficult method to sneak in and deliver the payload. It goes as:

  • an exploit capable of executing code as a SYSTEM user
  • a shellcode to download the next downloader
  • a downloader to download an SFX archive that contains a Windows task installation script
  • a password-protected SFX archive with a Trojan-backdoor installer.
  • an installer script (ps1)
  • a COM object DLL (a loader).
  • the Trojan-backdoor itself

It uses all legitimate services like Windows Background Intelligent Transfer Service (BITS) and Windows API calls to communicate with concerned servers.

To conclude, Titaniumโ€™s purpose is to sequentially download, drop and install the payload, that gives the unauthorized group access to the system and performs activities.

The great thing of all, this new Trojan dumping backdoor is hidden from all the steps mentioned above. It masks itself as a legitimate software/tool like sound drivers, DVD maker or protection application. And this is what makes it unique from all previous APTs happened.

LEAVE A REPLY

Please enter your comment!
Please enter your name here