Recently, the hacker organization Platinum APT has developed a new stealth backdoor Trojan called Titanium that can penetrate and control its target system. Because Titanium uses encryption and fileless technology and masquerades as a variety of legitimate programs, it is difficult to detect by firewalls or anti-virus software. The Trojan can steal, implant or delete files from the file system and send the stolen files to a Command and Control (C&C) server.
Since 2009, Platinum APT has been active in the Asia Pacific region, with its target clients being government organizations, defense agencies, intelligence agencies, diplomatic agencies and telecommunications providers in South and Southeast Asia. When Platinum APT uses Titanium, the organization uses a series of artifacts, including an exploit that can execute code as the SYSTEM user, a shellcode for downloading other downloaders, and an SFX archive for downloading Windows task installation scripts, download the program, the encrypted SFX archive with the Trojan installer, the installer script, the COM object DLL, and the Titanium body. Kaspersky’s research team said:
“The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.”
In addition, the attacker can also inject the shellcode into the system process to propagate the trojan. The shellcode will download the encrypted payload from the C&C server and decrypt it to enter the next infection step.