TITANIUM: the PLATINUM group strikes again

Vladimir Kononovich, Saurabh Sharma/Kaspersky

At the last AVAR conference we ([BEEP]) presented our research of a new malware campaign – we called it “The EasternRoppels operation”. It was just the new wave of the attacks of the PLATINUM group: new victims and the new tools. We are sure with high confidence that it was a targeted attack: only a few victims in the APAC region were infected.

We researched that campaign and created many detection rules against those malicious samples. So we killed two birds with one stone: first, we provided the best detection rules to protect our users, second – we have got a robust way to track this malware campaign and this actor in general.

More than half a year has passed since then and now we have some news. First, the actor is still active: they continue their operations, we discovered several new victims (as in previous cases – all of them are in the APAC region), second, we found the new malicious tool by this actor, which we called TITANIUM. Finally, we were able to restore the chain of infection.

TITANIUM is a new targeted attack against victims in APAC. It has many malicious tools in its arsenal: powershell backdoors, fileless backdoors, exploits. One interesting thing regarding this attack is that the operators use legitimate tools to exfiltrate stolen data from the infected networks. TITANIUM backdoors achieve persistence by registering as a service or by substituting clsids and project_c toolset by using side loading technique towards system services. All executable samples in this attack are protected by custom crypter in order to make analysis more difficult. One more thing which also makes our work harder: some tools are fileless and exist only in memory of system processes: we need to restore the executable file to analyze it carefully.

In our presentation we will say about the new malicious toolsets from the PLATINUM actor – the TITANUM backdoor. We will provide additional details about this APT: reveal their modules, explain their functionality; will describe new and interesting techniques which were used by this group (fileless infection, powershell backdoors, interesting crypters, infection pattern and so on). Finally, we will say about the victims of this APT: a number of high-profile victims were infected, including some ministries, air forces and ISP in APAC.

November 8 at 09:30 - 10:00, Stage B

Vladimir Kononovich is a reverse-engineer. It`s not only his job, but also his hobby. He is an active romhacking community member. Vladimir likes to reverse old-school retro-games and writes compression and decompression tools, enabling other enthusiasts to translate their favorite games into foreign languages.

Saurabh Sharma is a Senior security researcher on the Global Research and Analysis Team (GReAT) at Kaspersky Lab, India.He`s contributing to GReAT’s mission by helping to investigate the most active and advanced threat actors, targeted attacks, attacker tools and more. Saurabh’s professional passions includes reverse engineering malware, uncovering, tracking and analyzing APT campaigns and reporting all about it.