Titanium: the Platinum group strikes again

[harlan4096]

Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).

Victimology

During our research we found that the main targets of this campaign were located in South and Southeast Asia.

Introduction

The Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step. Almost every level of the system mimics known software, such as security software, software for making DVD videos, sound drivers’ software etc.

In every case the default distribution is:

1. an exploit capable of executing code as a SYSTEM user
2. a shellcode to download the next downloader
3. a downloader to download an SFX archive that contains a Windows task installation script
4. a password-protected SFX archive with a Trojan-backdoor installer
5. an installer script (ps1)
6. a COM object DLL (a loader)
7. the Trojan-backdoor itself

Infection vector

We believe the Titanium APT uses local intranet websites with a malicious code to start spreading.

1 – Shellcode

Another known way of spreading is the use of a shellcode that needs to be injected into a process. In this case it was winlogon.exe. Unfortunately, we don’t know how the shellcode was injected. See the shellcode description below.

2 – Wrapper DLLs

Attackers make active use of various kinds of ‘wrappers’. Each wrapper is usually a COM DLL, with the corresponding exported functions. The main purpose of these libraries is to decrypt and load an encrypted file (previously dropped somewhere) into the system memory (a payload) and then redirect calls to the wrapper itself to the payload’s exported functions.

Another type of wrapper DLL is designed to obtain a command line from its exported function argument passed by a caller and create a new process.

3 – Windows task installer (SFX archive)

This is a password-encrypted SFX archive that can be downloaded via BITS Downloader. The password is hardcoded into the downloader that is used to decrypt the SFX archive using the -p command line argument.

The main feature of this archive is that it contains the cURL executable code, compiled into a DLL. Its purpose is to install the Windows task to establish persistence in the infected system.

4 – Trojan-Backdoor installer (SFX archive)

The backdoor itself uses an SFX archive which must be launched from the command line using a password to unpack it. All paths examples here and there will be for the DVD making software. However, these notes can be also applied to any other known software paths.

5 – BITS Downloader

This component is used to download encrypted files from the C&C server then decrypt and launch them.
...

Continue Reading