Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Platinum is back
Platinum is back
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 14,467
Threads: 9,531
Thanks Received: 9,035 in 7,185 posts
Thanks Given: 9,811
Joined: 12 September 18
#1
Bug  06 June 19, 07:43
Quote:
[Image: platinum-is-back-1.png]

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.

As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day). The C&C addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

At the time, we were investigating another threat, which we believe to be the second stage of the same campaign. We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc. The backdoor also has a few very interesting features of its own. For example, it can hide all communication with its C&C server by using text steganography.

After deeper analysis we realized that the two threats were related. Among other things, both attacks used the same domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of malware at the same time. It’s worth mentioning that in the second stage, all executable files were protected with a runtime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to be related to PLATINUM.

Our paper only includes a description of the two previously undiscovered backdoors while the full report is available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Adobe Acrobat Reader DC 2025.001.20467
Adobe Acrobat Read...harlan4096 — 06:11
GFYI [Official] CheckMAL's AppCheck Pro...
tweet CheckMAL Secu...dhruv2193 — 17:10
Introducing Advanced Chat Privacy: Enhan...
Introducing Advanc...harlan4096 — 11:49
Brave 1.77.101
Release Channel 1....harlan4096 — 11:48
Opera118.0.5461.60
Hello! We are h...harlan4096 — 11:47

[-]
Birthdays
Today's Birthdays
avatar (50)steakelask
avatar (44)Termoplenka
Upcoming Birthdays
avatar (50)Toligo

[-]
Online Staff
There are no staff members currently online.

>