Notorious APT Group Platinum is Still Active – Comes With New Attack Campaigns

New waves of attack by a notorious APT group Platinum is again noticed by Kaspersky Lab. This time Platinum APT group is using new Steganography techniques to make their APT stealthier. As per Kaspersky report in this new attack campaigns they are using two steganography techniques.

Platinum APT uses an elaborate steganographic technique to conceal communication. Kaspersky Lab first noticed this group in 2012. In June 2018 Kaspersky found Platinam APT was attacking diplomatic, government and military entities from South and Southest Asian countries.

In the first stage campaign, Platinum APT use WMI subscriptions, which run a Powershell downloader. Then it downloads another Powershell backdoor.

Securelist reports, “We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day).”

In second stage of this campaign, Kaspersky lab found an another backdoor that works as a WinSock NSP (Nameservice Provider) and it implements a DLL. This backdoor has a similar feature with the previously describe Powershell backdoor. This backdoor can hide all communications with its C&C server by using text steganography.

Steganography is a technique by which hackers and threat actors hide a file, message, image, and video with another file, message, image, and video. Johannes Trithemius first coined the term Steganography. Hackers uses Steganography instead encryption because there are some advances as wikipedia describe “The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable they are, arouse interest and may in themselves be incriminating in countries in which encryption is illegal.”

Kaspersky labs first think these are two different campaigns, but later by deeper analysis they believe that these two campaings are from same threat group Platinum APT.

“This is not the first time that Platinum APT has been linked with obscure or novel attack techniques -- given the group's use of a now-deprecated feature in Windows called hotpatching in the past -- but it is the first time that steganography appears to have been used.” ZDNet Reports recently. 

How the backdoor work:

With the help of a dropper first the main binary backdoor installed. Then the dropper run and the files which are embedded in its “.arch” section get decrypted. After that the dropper creates directories. The directories are used to operate the backdoor and saving malware related files.  And interestingly it uses paths like legitimate software does.

The backdoor also installs a configuration file which has a .cfg or .dat extensions. If you inspect the configuration file, you can see the file encrypted with AES-256 CBC and encoded: Kaspersky describes this as follows

  • pr – stands for “Poll Retries” and specifies the interval in minutes after which the malware sends the C&C server a request for new commands to execute;
  • ht – unused;
  • sl – specifies the date and time when the malware starts running. When the date arrives, the malware clears this option.
  • opt – stands for “Office Hours”. This specifies the hours and minutes during the day when the malware is active;
  • die – stands for “Eradicate Days”. This specifies how many days the malware will work inside the victim’s computer;
  • Section “p” lists malware C&C addresses;
  • Section “t” lists legitimate URLs that will be used to ensure that an internet connection is available.
Kaspersky says “The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too."

Kaspersky reports also adds “One more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular. Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active.” 

IoCs

Steganography backdoor installer:

26a83effbe14b63683f0c3e0a3f657a9
4b4c3b57416c03ca7f57ff7241797456
58b10ac25df04a318a19260110d43894
Obsolete steganography backdoor launcher:

d95d939337d789046bbda2083f88a4a0
b22499568d51759cf13bf8c05322dba2
Steganography backdoor:

5591704fd870919930e8ae1bd0447706
9179a84643bd6d1c1b8e6fe0d2330dab
c7fda2be17735eeaeb6c56d30fc86215
d1936dc97566625b2bfcab3103c048cb
d1a5801abb9f0dc0a44f19b2208e2b9a
P2P backdoor:

0668df90c701cd75db2aa43a0481718d
e764a1ff12e68badb6d54f16886a128f
Config manager:

8dfabe7db613bcfc6d9afef4941cd769
37c76973a55134925c733f4f50108555

For full report, please visit.
https://securelist.com/platinum-is-back/91135/