Malware hides at every step by mimicking common software in long multi-stage execution.
One of the world’s most most technologically advanced hacking groups has a new backdoor that’s every bit as sophisticated as its creators.
Dubbed Titanium by the Kaspersky Lab security researchers who discovered it, the malware is the final payload delivered in a long and convoluted attack sequence. The attack chain uses a host of clever tricks to evade antivirus protection. Those tricks include encryption, mimicking of common device drivers and software, memory-only infections, and a series of droppers that execute the malicious code a multi-staged sequence. Yet another means of staying under the radar is hidden data delivered steganographically in a PNG image.
Named after a password used to encrypt a malicious archive, Titanium was developed by Platinum, a so-called advanced persistent threat group that focuses hacks on the Asia-Pacific region, most likely on behalf of a nation.
“The Titanium APT has a very complicated infiltration scheme,” Kaspersky Lab researchers wrote in a post. “It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.”
Titanium uses several different methods to initially infect its targets and spread from computer to computer. One is a local intranet that has already been compromised with malware. Another vector is an SFX archive containing a Windows installation task. A third is shellcode that gets injected into the winlogon.exe process (it’s still unknown how this happens). The end result is a stealthy and full-featured back door that can:
- Read any file from a file system and send it to an attacker-controlled server
- Drop a file onto or delete it from the file system
- Drop a file and run it
- Run a command line and send execution results to the attacker’s control server
- Update configuration parameters (except the AES encryption key)
Platinum has been operating since at least 2009, according to a detailed report Microsoft published in 2016. The group is primarily focused on the theft of sensitive intellectual property related to government interests. Platinum often relies on spear phishing and zero-day exploits.
Interestingly, Kaspersky Lab says it has yet to detect any current activity related to Titanium. It’s not clear if that’s because the malware isn’t in use or if it’s just too hard to detect infected computers.