Rewterz Threat Alert – Titanium Malware: the Platinum group strikes again

Monday, November 11, 2019

Severity

Medium

Analysis Summary

An APT group dubbed Platinum is using a new stealthy Trojan-backdoor malware named Titanium to infiltrate and take control of their targets’ systems. The group is known for targeting governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. Platinum apparently uses local intranet websites to deliver the malicious artifacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method. The shellcode’s only purpose is of gaining an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.

After compromising a system, the malware will download the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and will make use of the legitimate cURL tool to communicate with the C2 server. The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:

• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows the attacker to receive input from console programs and send their output at the C&C

The APT group is possibly exploiting the vulnerability CVE-2019-13720 in Google Chrome.

Impact

  • Information Theft
  • Data Manipulation
  • Code Execution
  • System Takeover

Indicators of Compromise

Source IP

70.39.115[.]196

URL

  • hxxp[:]//70.39.115[.]196/payment/confirm[.]gif?f=1
  • http[:]//70.39.115[.]196/payment/confirm[.]gif
  • http[:]//70.39.115[.]196/payment/confirm[.]gif?f=2

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-14899 – New Linux Vulnerability Inferring and hijacking VPN-tunneled TCP connections
  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-18232 – ICS: Thales DIS SafeNet Sentinel LDK License Manager Runtime Privilege Escalation Vulnerability
  • 5, December 2019 Rewterz Threat Alert – “ZeroCleare” Targets Energy Sector in the Middle East
  • 5, December 2019 Rewterz Threat Alert – CStealer Trojan Targeting Chrome Passwords

Copyright © Rewterz. All rights reserved.