Titanium: The Platinum Group Strikes Again (Nov 8, 2019)
Platinum, an Advanced Persistent Threat (APT) group focused on the Asia Pacific region have been utilizing a new backdoor “Titanium” in recent attacks, according to researchers at Kaspersky. Targeting Indonesia, Malaysia and Vietnam, the infection spreads via local intranet websites. Once in the system, the payload is downloaded from a Command and Control (C2) server, with a backdoor downloader that pulls down an installer. Using the Windows Background Intelligent Transfer Service (BITS) and cURL, the final payload is downloaded. Loaded into memory, the payload is obfuscated using Windows API calls to bypass anti-virus software. Due to the use of encryption and fileless technologies the malware is able to evade detection.
Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Spearphishing is a common tactic employed by APT actor as an initial infection vector, therefore, educate your employees on the risk such emails pose. Protocols should be employed to show your employees what spearphishing targeting your company may look like, and whom to contact if a spearphishing email is identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.