By Davey Winder
A notorious hacking group known as Platinum, for once deserving of the “advanced” in the advanced persistent threat (APT) label, has developed a backdoor security threat that hides in plain sight on Windows 10 systems. The Platinum APT group, also known as TwoForOne, is thought to have nation-state backing and has been actively operating for the last ten years at least. Eugene Kaspersky has said that Platinum is “one of the most technologically advanced APT actors.” The discovery of the Windows 10 Trojan-backdoor, named Titanium after a password that unlocks one of the self-executable archives in the infection chain, is just the latest threat to emerge from this always evolving group.
The Titanium Windows 10 backdoor
The pernicious and technologically advanced piece of APT malware was discovered by researchers at security vendor Kaspersky during a recent analysis of Platinum APT group activity. The Titanium backdoor itself is the final act of a complicated infection sequence. The infection vector is thought use malicious code within local intranet websites, but the actual seven-step sequence itself is the same in every case analyzed by the researchers.
First, there is the use of an exploit that is capable of executing code as a “SYSTEM” user. Think of this as being the same as admin in terms of privilege but used by the Windows 10 operating system and the services that run under it. For most intents and purposes, SYSTEM is to Windows what Root is to Linux. Today In: Innovation
This is followed by shellcode, literally code that starts a command shell to execute a list of instructions, injected into the winlogon.exe process. The Kaspersky analysis confirms that it is not currently known how the shellcode was injected. What is known, is that the shellcode downloads a downloader; in turn, this executes step three in the sequence, the download of a self-extracting (SFX) archive containing a Windows task installation script.
The SFX archive, protected by a password, then opens to reveal the Trojan-backdoor installer itself. Onto step five, which is running that installer script which initiates phase six, the registration of a .dll “loader” that pretends to be a legitimate DVD creation software help service. And finally, the backdoor itself.
“Titanium uses several advanced techniques, such as encryption, steganography and fileless malware, to try to hide its activities from anti-virus products,” a Kaspersky spokesperson says, “it also uses exploits to inject its payload into processes that are running with system privileges.” In the case of Titanium, security and DVD creation software along with audio drivers are amongst the processes mimicked to remain stealthy at every step.
This isn’t the first Windows threat to hide in plain sight by using a fileless strategy; the “Great Duke of Hell” malware used similar invisible man methodologies, as did the Nodersok zombie attack. However, combining living-off-the-land binaries (LOLBins) that are from the system itself with added encryption and steganography, whereby Titanium hides command and control data within an image file, reveals just how technically competent this attack group is.
Mitigating the Titanium backdoor security threat
Unless you are running the kind of corporate-grade security solution that monitors networks for system-wide behavioral indicators of a targeted attack, the chances are that Titanium could make it onto your system without detection. While I have focused on Windows 10 in my reporting, a Kaspersky spokesperson says that “the new Titanium APT threat infects systems with any modern Windows OS,” to add to the misery. Linux and macOS users are in the clear as Kaspersky says that Titanium only executes on Windows systems.
The good news, however, comes on two fronts. First, Kaspersky researchers have said that “we have not detected any current activity related to the Titanium APT,” which could be because Platinum hasn’t started a Titanium-based campaign as of yet, or that it hides so well that nobody has detected campaigns that are active. Threat intelligence would suggest that many Platinum attacks have gone undetected for years, as befits the “P” in the APT moniker. Secondly, and reassuring for consumers at least, is the Platinum group specializes in highly targeted attacks like most APT actors. In the case of Platinum, history suggests government targets are in the crosshairs, along with related organizations in the supply-chain that can help infiltrate them. Primarily, it would seem, these government targets have been in APAC countries.
Titanium is, as I have already mentioned, far from being the only malware that can infiltrate systems in a stealthy manner and grant control to a threat actor, advanced and persistent or otherwise. So, consumers are not out of the woods here; ensure that good cyber hygiene, in terms of clicking links or downloading attachments, is practiced at all times. Also, make sure both your Windows system is kept updated, despite the well-publicized issues there have been with Windows updates of late, and your security solution of choice likewise.