• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – DarkUniverse APT Framework
November 11, 2019
Rewterz Threat Alert – Variant of Adwind RAT Targets Petroleum Sector
November 11, 2019

Rewterz Threat Alert – Titanium Malware: the Platinum group strikes again

November 11, 2019

Severity

Medium

Analysis Summary

An APT group dubbed Platinum is using a new stealthy Trojan-backdoor malware named Titanium to infiltrate and take control of their targets’ systems. The group is known for targeting governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. Platinum apparently uses local intranet websites to deliver the malicious artifacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method. The shellcode’s only purpose is of gaining an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.

After compromising a system, the malware will download the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and will make use of the legitimate cURL tool to communicate with the C2 server. The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:

• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows the attacker to receive input from console programs and send their output at the C&C

The APT group is possibly exploiting the vulnerability CVE-2019-13720 in Google Chrome.

Impact

  • Information Theft
  • Data Manipulation
  • Code Execution
  • System Takeover

Indicators of Compromise

Source IP

70.39.115[.]196

URL

  • hxxp[:]//70.39.115[.]196/payment/confirm[.]gif?f=1
  • http[:]//70.39.115[.]196/payment/confirm[.]gif
  • http[:]//70.39.115[.]196/payment/confirm[.]gif?f=2

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.