An APT group dubbed Platinum is using a new stealthy Trojan-backdoor malware named Titanium to infiltrate and take control of their targets’ systems. The group is known for targeting governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. Platinum apparently uses local intranet websites to deliver the malicious artifacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method. The shellcode’s only purpose is of gaining an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.
After compromising a system, the malware will download the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and will make use of the legitimate cURL tool to communicate with the C2 server. The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:
• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows the attacker to receive input from console programs and send their output at the C&C
The APT group is possibly exploiting the vulnerability CVE-2019-13720 in Google Chrome.