Platinum Hackers Use Steganography to Mask C&C Communications

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
Attacks recently attributed to the "Platinum" cyber espionage group have employed an elaborate, previously unseen steganographic technique, researchers from Kaspersky say.

The attacks were observed in June 2018 targeting diplomatic, government and military entities in South and Southeast Asian countries, but the campaign may have started as far back as 2012. Featuring a multi-stage approach, the campaign was dubbed EasternRoppels.

The attack started with WMI subscriptions to run an initial PowerShell downloader and fetch a small PowerShell backdoor for system fingerprinting and downloading additional code.

Various WMI PowerShell scripts employed in the campaign used different command and control (C&C) IP addresses, encryption keys, salt for encryption and active hours. The C&C addresses, the researchers discovered, were located on free hosting services, and the attackers were also heavily reliant on Dropbox accounts for storing the payload and exfiltrated data.

While investigating another threat, the researchers discovered a backdoor they believe to be the second stage of the Platinum campaign. Implemented as a DLL and working as a WinSock NSP (Nameservice Provider) for persistence, the threat has the same characteristics as the PowerShell backdoor detailed above, but uses steganography to hide communications with the C&C.

Further analysis revealed the use of the same domain to store exfiltrated data and common victims for both backdoors. The investigation into the encrypted files in the second stage also revealed a previously undiscovered backdoor related to the Platinum group.

A dedicated dropper is used to install the steganography backdoor. The malware creates directories and saves backdoor-related files (the backdoor itself and its configuration file) in these. Next, it runs the backdoor, ensures persistence, and then removes itself.

Once installed, the backdoor connects to C&C server and downloads an HTML page that contains embedded commands encrypted with an encryption key that is also embedded into the page.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top