Hackers Use Steganographic Technique to Hide Communications With Command and Control Servers
Attacks recently attributed to the "Platinum" cyber espionage group have employed an elaborate, previously unseen steganographic technique, researchers from Kaspersky say.
The attacks were observed in June 2018 targeting diplomatic, government and military entities in South and Southeast Asian countries, but the campaign may have started as far back as 2012. Featuring a multi-stage approach, the campaign was dubbed EasternRoppels.
The attack started with WMI subscriptions to run an initial PowerShell downloader and fetch a small PowerShell backdoor for system fingerprinting and downloading additional code.
Various WMI PowerShell scripts employed in the campaign used different command and control (C&C) IP addresses, encryption keys, salt for encryption and active hours. The C&C addresses, the researchers discovered, were located on free hosting services, and the attackers were also heavily reliant on Dropbox accounts for storing the payload and exfiltrated data.
While investigating another threat, the researchers discovered a backdoor they believe to be the second stage of the Platinum campaign. Implemented as a DLL and working as a WinSock NSP (Nameservice Provider) for persistence, the threat has the same characteristics as the PowerShell backdoor detailed above, but uses steganography to hide communications with the C&C.
Further analysis revealed the use of the same domain to store exfiltrated data and common victims for both backdoors. The investigation into the encrypted files in the second stage also revealed a previously undiscovered backdoor related to the Platinum group.
A dedicated dropper is used to install the steganography backdoor. The mal ..
Support the originator by clicking the read the rest link below.
