Most Advanced hackers group popularly known as Platinum or APT (Advanced Persistent Threat) group launched new titanium named trojan. The new back door trojan has the abilities to completely control the victim’s computer.
Researchers from Kaspersky recently found the new trojan in the south and south-east Asia mainly targeting Indonesia, Malasia and Vietnam states. The trojan mimic software such as DVD burners, Security Software, Sound Drivers, etc.
The Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor as the final step.
Researchers, Kaspersky Lab
The trojan can attack in various ways. The common stages are mentioned as:
- Exploit that Gain access for code execution as SYSTEM USER
- Install a ShellCode to connect to a command-and-control (C2) address to the next downloader.
- The next downloader brings an SFX (Self-extracting) archive that contains a Windows task installation script that installs a task to create consistency in the infected PC.
- The downloader on the next downloads another password-protected archive, whose password is Titanium that automatically installs using an installation script and launches it from the COM object DLL.
- Further, a BITS downloader is used to download encrypted trojan from the C2 servers and launch them.
The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:
Sergiu Gatlan, Bleeping Computer
• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows to the attacker to receive input from console programs and send their output at the C&C
The trojan creates a loop of various tasks and Windows API Calls that confuses antivirus in detecting it. It camouflages as necessary drivers and fools the system. There is no campaign activity yet detected by the researchers.
The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.
Researchers, Kaspersky Lab