New Windows backdoor that hides by mimicking common software developed by Platinum APT group
The Platinum APT group backdoor is installed following a seven-step infection sequence
Researchers at Kaspersky have discovered a new Windows backdoor that can hide itself in compromised Windows 10 systems by behaving like common software.
Dubbed Titanium, this backdoor has been developed by the Platinum APT group that is believed to be supported by a nation-state.
Platinum is notorious and one of the most advanced APT actors. Also known as TwoForOne, this group has been operating for the past ten years and is specifically known for targeting military, government, and political institutions across the South and Southeast Asia.
According to researchers, the Titanium backdoor is the final act of a complex, seven-step infection sequence that involves dropping, downloading and installing of various malicious files.
The backdoor derives its name from a password that unlocks one of its archives. It appears to be similar to other backdoors used by Platinum APT in recent years.
At every stage of the infection sequence, malicious code hides its presence by mimicking common software, such as video creation tools, sound drivers, and security software.
The first step involves use of an exploit that is capable of running code as a "SYSTEM" user.
In the second step, shellcode executes a list of instructions to download the next downloader. This downloader further downloads a password-protected self-extracting (SFX) archive with a Windows task installation script.
This installer script (ps1) initiates the sixth step, registration of a COM object DLL (loader) that behaves like a genuine DVD creation help service. The Titanium backdoor is finally deployed as the last stage of infection.
Titanium can read any file from a file system and send it to command and control (C&C) server. It is capable of dropping a file and running it. The backdoor's ability to operate in interactive mode enables attackers to receive input from console programmes and send the output to the C&C centre.
However, Kaspersky researchers say they have not detected any current campaign related to the Titanium APT.