One of the worlds most most technologically advanced hacking groups has a new backdoor thats every bit as sophisticated as its creators.
Dubbed Titanium by the Kaspersky Lab security researchers who discovered it, the malware is the final payload delivered in a long and convoluted attack sequence. The attack chain uses a host of clever tricks to evade antivirus protection. Those tricks include encryption, mimicking of common device drivers and software, memory-only infections, and a series of droppers that execute the malicious code a multi-staged sequence. Yet another means of staying under the radar is hidden data delivered steganographically in a PNG image.
Named after a password used to encrypt a malicious archive, Titanium was developed by Platinum, a so-called advanced persistent threat group that focuses hacks on the Asia-Pacific region, most likely on behalf of a nation.
“The Titanium APT has a very complicated infiltration scheme,” Kaspersky Lab researchers wrote in a post. “It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.”
Titanium uses several different methods to initially infect its targets and spread from computer to computer. One is a local intranet that has already been compromised with malware. Another vector is an SFX archive containing a Windows installation task. A third is shellcode that gets injected into the winlogon.exe process (its still unknown how this happens). The end result is a stealthy and full-featured back door that can:
- Read any file from a file system and send it to an attacker-controlled server
- Drop a file onto or delete it from the file system
- Drop aRead More – Source