Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
Platinum is back
Platinum is back
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 15,701
Threads: 10,082
Thanks Received: 9,296 in 7,442 posts
Thanks Given: 10,201
Joined: 12 September 18
#1
Bug  06 June 19, 07:43
Quote:
[Image: platinum-is-back-1.png]

In June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian countries targeting diplomatic, government and military entities. The campaign, which may have started as far back as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign, believed to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen steganographic technique to conceal communication.

As a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn, downloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and noticed that they had different hardcoded command and control (C&C) IP addresses, different encryption keys, salt for encryption (also different for each initial loader) and different active hours (meaning the malware only worked during a certain period of time every day). The C&C addresses were located on free hosting services, and the attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data). The purpose of the PowerShell backdoor was to perform initial fingerprinting of a system since it supported a very limited set of commands: download or upload a file and run a PowerShell script.

At the time, we were investigating another threat, which we believe to be the second stage of the same campaign. We were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice Provider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described above: it has hardcoded active hours, it uses free domains as C&C addresses, etc. The backdoor also has a few very interesting features of its own. For example, it can hide all communication with its C&C server by using text steganography.

After deeper analysis we realized that the two threats were related. Among other things, both attacks used the same domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of malware at the same time. It’s worth mentioning that in the second stage, all executable files were protected with a runtime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to be related to PLATINUM.

Our paper only includes a description of the two previously undiscovered backdoors while the full report is available to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).
Continue Reading
[-] The following 1 user says Thank You to harlan4096 for this post:
  • silversurfer
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
After Stacked L3, AMD Is Now Exploring W...
In a new research ...harlan4096 — 08:28
Opera 126.0.5750.37
A new Opera Stable...harlan4096 — 08:24
Brave 1.86.139 (Jan 15, 2026)
Release Notes v1.8...harlan4096 — 08:23
Opera One Adds Color-Coded Tab Islands ...
Very nice info. Than...jasonX — 03:06
XYplorer
XYplorer (64-bit) v2...jasonX — 03:05

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (50)theoldevext
avatar (45)algratCep
avatar (50)Qlaude2Sap
avatar (51)Josepharelf
avatar (40)kholukrefar
avatar (49)Lauraimike
avatar (51)WilsonWag
avatar (49)StevenPiole
avatar (40)zetssToomy
avatar (47)GornOr
avatar (50)Jamesmog
avatar (38)opeqyrav
avatar (38)ivanoFloom
avatar (41)uxegihor

[-]
Online Staff
There are no staff members currently online.

>