'Platinum' Hacking Group Strikes Again With Complex Titanium Backdoor To Windows (securelist.com) 14
Freshly Exhumed shares a report from Securelist: Platinum is one of the most technologically advanced APT actors with a traditional focus on the APAC region. During recent analysis we discovered Platinum using a new backdoor that we call Titanium (named after a password to one of the self-executable archives). Titanium is the final result of a sequence of dropping, downloading and installing stages. The malware hides at every step by mimicking common software (protection related, sound drivers software, DVD video creation tools).
The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. One of the methods Titanium uses to infect its targets and spread is via a local intranet that has already been compromised with malware. Another is via an SFX archive containing a Windows task installation script. A third is shellcode that gets injected into the winlogon.exe process (it's still unknown how this happens).
The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. One of the methods Titanium uses to infect its targets and spread is via a local intranet that has already been compromised with malware. Another is via an SFX archive containing a Windows task installation script. A third is shellcode that gets injected into the winlogon.exe process (it's still unknown how this happens).
windows pro/home gets a virus (Score:3)
honestly most users just need a browser I fail to see why windows pro is deployed on mass any more...
chromebooks or even windows S
what I would really like is a desktop browser mode built into Mobile phones so that when you attach a phone to USB C it charges but connects to the monitor/KVM and provides a full size browser that managed by MDM would be awesome !
Re:windows pro/home gets a virus (Score:5, Insightful)
The details are scant at the moment, but if this new APT is not stupid (and it doesn't appear to be) there is the possibility that it will delete itself from computers that are not of interest (i.e. most users' computers). Sophisticated APT actors don't want millions of copies of the "malware" installed on random computers and if the software somehow ends up on grandma's computer it will likely uninstall itself (e.g. like APTs by Equation Group). The more copies "in the wild" the less stealthy it is and more open to analysis. So, yeah, if grandma's Windows computer somehow gets targeted the APT software will likely not install at all, or uninstall itself as soon as it can. The APT actors want the software on critical systems; they are targeted.
What does fileless mean? (Score:2)
You seem to know this area, so I'll ask. Please explain how file-less systems would preserve state across reboots and such.
Re:windows pro/home gets a virus (Score:5, Informative)
what I would really like is a desktop browser mode built into Mobile phones so that when you attach a phone to USB C it charges but connects to the monitor/KVM and provides a full size browser that managed by MDM would be awesome!
Don't know if this is exactly what you want, but the Librem 5 [puri.sm] phone runs PureOS (Linux distribution) which would give you any Linux desktop app you want. Don't know if it can be attached to an external KVM. For that, check out Maru [maruos.com] built on Android Oreo. Their info says:
Simply plug your phone into an HDMI screen, connect up a keyboard and mouse, and you’ve got a lightweight desktop experience you can take anywhere. Maru automatically detects when an external display is available and spins up your desktop. It boots in less than 5 seconds.
Deja vu? (Score:1)
This reminds me a lot of of the DirecTV ECM in 2001 [slashdot.org].
Article: Shellcode is injected into winlogon.exe (Score:1)
Also article: "In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies."
Anyone care to explain how its possible that antivirus can't detect shellcode injection into a core windows process?
Fileless technologies? (Score:2)
Does this mean it hides part of itself on unused blocks on the disk outside of the filesystem? If so that might be a risky strategy if the filesystem suddenly needs them.
Or are they talking about some other process?
Re: (Score:2)
It's hard to tell from the information currently available what "outside of the filesystem" really means. But, APTs are not typical malware and likely cost many millions of dollars to develop, so "outside of the filesystem" is not out of the question and not impossible. For example, the code from one APT actor modifies the firmware of hard disk drives
Although the implementation of their malware systems is incredibly complex, surpassing even Regin in sophistication, there is one aspect of the EQUATION group’s attack technologies that exceeds anything we have ever seen before. This is the ability to infect the hard drive firmware.
(emphasis in original) (https://web.archive.org/web/20150217023145/https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf)
If the firmwa
Re: (Score:1)
Re: (Score:2)
Not a good strategy - there's this thing called the OFF switch.