Kaspersky identifies new Titanium backdoor used for attacks by notorious Platinum group in APAC region
November 2019 by Kaspersky Lab
Kaspersky experts have revealed new developments in activities from Platinum – one of the most technologically advanced APT actors that has traditionally focused on the APAC region. During the analysis, a new backdoor called Titanium was identified.
Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage. Its main infection vectors include local intranet websites with a malicious code to start spreading, a malicious archive that can be downloaded via BITS Downloader, and others.
The backdoor can accept many different commands, including but not limited to:
• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
The malware hides at every stage by mimicking common programs, such as popular DVD and anti-malware software. The major targets of the Titanium campaign were located in South and Southeast Asia – known to be around half dozen army and government institutions.
“Our findings once again indicate that while threat actors, just as Kaspersky predicted last year, went into deep waters, a lot of interesting developments are going on there with new attacks, campaigns, and malware modifications. These are yet to be found. The backdoor we found is of particular interest due to its capability to introduce an interactive mode that allows attackers to use a remote command line mode which sends a launched program’s output to the C&C and receives any required input from it dynamically,” said Vladimir Kononovich, a security expert at Kaspersky.
Kaspersky products detect and block the threat.
Kaspersky recommends taking the following security measures:
• Make sure you update all software used in your organization on a regular basis, and whenever a new security patch is released. Security products with Vulnerability Assessment and Patch Management capabilities may help to automate these processes.
• Choose a proven security solution, such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection capabilities for effective protection against known and unknown threats.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• Make sure your security team has access to the most recent cyberthreat intelligence. Private reports on the latest developments in the threat landscape are available to Kaspersky Intelligence Reporting customers. For further details, contact: firstname.lastname@example.org.
• Last, but not least, ensure your staff is trained to understand and implement the basics in cybersecurity hygiene.