New waves of attack by a notorious APT group Platinum is again noticed by Kaspersky Lab. This time Platinum APT group is using new Steganography techniques to make their APT stealthier. As per Kaspersky report in this new attack campaigns they are using two steganography techniques.
Platinum APT uses an elaborate steganographic technique to conceal communication. Kaspersky Lab first noticed this group in 2012. In June 2018 Kaspersky found Platinam APT was attacking diplomatic, government and military entities from South and Southest Asian countries.
In the first stage campaign, Platinum APT use WMI subscriptions, which run a Powershell downloader. Then it downloads another Powershell backdoor.
Securelist reports, “We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day).”
In second stage of this campaign, Kaspersky lab found an another backdoor that works as a WinSock NSP (Nameservice Provider) and it implements a DLL. This backdoor has a similar feature with the previously describe Powershell backdoor. This backdoor can hide all communications with its C&C server by using text steganography.
Steganography is a technique by which hackers and threat actors hide a file, message, image, and video with another file, message, image, and video. Johannes Trithemius first coined the term Steganography. Hackers uses Steganography instead encryption because there are some advances as wikipedia describe “The advantage of steganography over cryptography alone is that the intended secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable they are, arouse interest and may in themselves be incriminating in countries in which encryption is illegal.”
Kaspersky labs first think these are two different campaigns, but later by deeper analysis they believe that these two campaings are from same threat group Platinum APT.
“This is not the first time that Platinum APT has been linked with obscure or novel attack techniques -- given the group's use of a now-deprecated feature in Windows called hotpatching in the past -- but it is the first time that steganography appears to have been used.” ZDNet Reports recently.
How the backdoor work:
With the help of a dropper first the main binary backdoor installed. Then the dropper run and the files which are embedded in its “.arch” section get decrypted. After that the dropper creates directories. The directories are used to operate the backdoor and saving malware related files. And interestingly it uses paths like legitimate software does.
The backdoor also installs a configuration file which has a .cfg or .dat extensions. If you inspect the configuration file, you can see the file encrypted with AES-256 CBC and encoded: Kaspersky describes this as follows
- pr – stands for “Poll Retries” and specifies the interval in minutes after which the malware sends the C&C server a request for new commands to execute;
- ht – unused;
- sl – specifies the date and time when the malware starts running. When the date arrives, the malware clears this option.
- opt – stands for “Office Hours”. This specifies the hours and minutes during the day when the malware is active;
- die – stands for “Eradicate Days”. This specifies how many days the malware will work inside the victim’s computer;
- Section “p” lists malware C&C addresses;
- Section “t” lists legitimate URLs that will be used to ensure that an internet connection is available.
Kaspersky says “The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too." Kaspersky reports also adds “One more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular. Finally, based on the custom cryptor used by the actors, we have been able to attribute this attack to the notorious PLATINUM group, which means this group is still active.”
Steganography backdoor installer:
Obsolete steganography backdoor launcher:
For full report, please visit.