New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Platinum Threat Group Using Titanium Backdoor

Platinum APT: Researchers from Kaspersky have found a new backdoor being used by the Platinum threat group they have called Titanium. The backdoor was named after the password that is used in one of the self-executable archives. The malware can hide every step by mimicking common software. The targets of this malware include the Asian-Pacific region (APAC), primarily Southeast Asia. Titanium includes a sequence of complex steps from dropping to downloading to the installing stages, finishing with a Trojan-backdoor being downloaded. Titanium uses local intranet websites with malicious code to start spreading. The malware will also check that it was started using the SYSTEM user–if it was, then it launches command line arguments using the Windows Management Interface (WMI). If it was not, then the downloader will pass command-line arguments into an argument parser. Titanium has a very complicated infiltration scheme and involves numerous steps with good coordination between them all. None of the files can be detected as malicious because of the encryption and fileless technology that is being used.

Analyst Notes

This group is one of the most sophisticated that is being tracked at this time. They are heavily focused on making their malware hard to detect, which makes it harder for users to protect themselves from this malware. To defend against threats that evade anti-virus and other automated defenses, it is important to use a defense-in-depth strategy that includes Security Operations Center (SOC) analysts who can recognize attacker behaviors without relying on static malware signatures. It is not known what the group is planning on doing with this malware, but they are likely using it to infiltrate entities and gain a foothold in those networks to continuously steal data. Currently, there is no active campaign being tracked with this malware or group, but they could start one at any time. For more details visit: https://securelist.com/titanium-the-platinum-group-strikes-again/94961/