The*advanced persistent threat (APT) group tracked by Microsoft as Platinum is using a new stealthy Trojan-backdoor*malware dubbed Titanium to infiltrate and take control of their targets' systems.
What makes Titanium stand out is its use of various methods of hiding in plain sight by camouflaging as security solutions, sound drivers, or software commonly used to create DVDs.
Platinum (also tracked as TwoForOne by Kaspersky) has been active since at least 2009 in the APAC region, targeting "governmental organizations, defense institutes, intelligence*agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia," as per Microsoft.
Microsoft also discovered in 2017 that Platinum started using the*Intel Active*Management Technology (AMT) Serial-over-LAN (SOL) channel for*communication thus evading conventional traffic monitoring and filtering solution running compromised devices.
As part of the Titanium campaign, Platinum used a multi-step infection sequence that employs several downloading, dropping, and installing stages to infect victims from*South and Southeast Asia with the final backdoor payload as researchers at Kaspersky found during recent analysis.
Targeted countries*(Kaspersky)
Convoluted infection process

The hacking group employed multiple artifacts during these attacks, with each of them using the following specific distribution sequence:
an exploit capable of executing code as a SYSTEM user
a shellcode to download the next downloader
a downloader to download an SFX archive that contains a Windows task installation script
a password-protected SFX archive with a Trojan-backdoor installer
an installer script (ps1)
a COM object DLL (a loader)
the Trojan-backdoor itself
Platinum apparently uses local intranet websites to deliver the*malicious artifacts during the infection process or a shellcode*that gets injected into a system process via a yet unknown method according to Kaspersky's research team.
The shellcode's*only purpose is of gaining an initial foothold on a target's machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.
Titanium C2 communication (Kaspersky)
After compromising a system, the malware will go through the other*steps needed to drop the final payload, downloading the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and making use of the legitimate cURL tool to communicate with the C2 server.
The Titanium payload will be loaded into memory and launched using a payload loader that makes heavy use of obfuscation via*Windows API calls and loops to "bypass some simple AV emulation engines."
To initiate C2 server*command stream, Titanium sends "a base64-encoded request that contains a unique SystemID, computer name, and hard disk serial number. After that, the malware starts receiving commands."
Backdoor comes with an interactive mode

The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:
Read any file from a file system and send it to the C&C
Drop or delete a file in the file system
Drop a file and run it
Run a command line and send execution results to the C&C
Update configuration parameters (except the AES encryption key)
Interactive mode allows to the attacker to receive input from console programs and send their output at the C&C
The infiltration scheme used by the Platinum APT group to infect their victims "involves numerous steps and requires good coordination between all of them,"*Kaspersky concluded.
"In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies."