Titanium: the Platinum group strikes again

Titanium: the Platinum group strikes again

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).


Victimology


During our research we found that the main targets of this campaign were located in South and Southeast Asia.



Introduction


The Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security software, software for making DVD videos, sound drivers’ software etc.


In every case the default distribution is:


an exploit capable of executing code as a SYSTEM user
a shellcode to download the next downloader
a downloader to download an SFX archive that contains a Windows task installation script
a password-protected SFX archive with a Trojan-backdoor installer
an installer script (ps1)
a COM object DLL (a loader)
the Trojan-backdoor itself

Infection vector


We believe the Titanium APT uses local intranet websites with a malicious code to start spreading.


1 – Shellcode


Another known way of spreading is the use of a shellcode that needs to be injected into a process. In this case it was winlogon.exe. Unfortunately, we don’t know how the shellcode was injected. See the shellcode description below. ..

Support the originator by clicking the read the rest link below.