image
APT threat group Platinum has a shiny new plaything: A custom trojan backdoor dubbed Titanium. The backdoor’s name, aside from keeping with the silvery metal theme, comes from password to one of the self-executable archives found in the code. According to Kaspersky researchers who analyzed the malware, it can, among other things, read any file from a file system and exfiltrate the data; drop or delete a file in the file system; drop a file and run it; run a command line and upload the execution results; and update configuration parameters (except the AES encryption key). It also features an interactive mode which allows to the attacker to receive input from console programs. Titanium was spotted as the final payload in a campaign that also included dropper placement, additional downloading and installing stages in its infection vector, the researchers said. Interestingly, the malware hides along the way during each of these steps by mimicking file names for common software, including security packages, sound drivers and DVD video-creation tools. Platinum is one of the most technologically advanced APT actors out there, with a traditional focus on the APAC region, the researchers said, and this campaign bore that out: Victims were located in South and Southeast Asia. A Multi-Stage Affair The complex sequence of stages in all of the observed attacks so far starts with an exploit capable of gaining code-execution as a SYSTEM user, after which the adversaries install a…

Source