The new Titanium backdoor mimics popular PC software to stay hidden

Platinum Group’s new backdoor Titanium hides its every step by mimicking common software.

Platinum, which has been discovered since 2012, is one of the most advanced APT actors generally focused on government, military, and political targets on the APAC region. During these seven years, the Platinum Group has developed different attack techniques, such as hot patching and fileless code deployment, and steganography, which hides Powershell and exploits code in plain text.

Titanium hides by mimicking common software

A past backdoor of Platinum uses text steganography to hide command-and-control (C2) communication. Finally, Platinum using a backdoor called Titanium contains a complicated infiltration scheme. According to Kaspersky researchers, Titanium is the final result of a sequence of dropping, downloading, and installing stages like protection-related, sound driver software, and video creation tools.

The malware hides at every step by mimicking common software. This research shows that the main targets of this campaign were located in South and Southeast Asia. Kaspersky researchers believe the Titanium APT uses local intranet websites with malicious code to spread.

They used shellcode winlogon.exe

They use shellcode winlogon.exe, which the way of injection was unclear. The shellcode itself contains position-independent code by aiming to connect to the hardcoded C&C address, download an encrypted payload, then decrypt and launch it using the hardcoded unpacking password.

Another method is Windows task installer (SFX archive)

Another method Titanium uses to infect its targets is via an SFX archive containing a Windows task installation script. The password is hardcoded into the downloader that is used to decrypt the SFX archive using the -p command-line argument.

Moreover, it also uses as a method of injection Trojan-Backdoor installer (SFX archive) and BITS downloader. The BITS Downloader is defined as a DLL file that has only one exported function: GetVersionInfoA. It uses for downloading files in encrypted form from the C&C and launch them.