According to reports from digital forensics experts, the dangerous hacker group known as Platinum has announced the release of Titanium, a new backdoor Trojan that includes advanced features to control an infected computer completely.
The report, published by security firm
Kaspersky Lab, mentions that this backdoor can hide from the sight of victims
posing as some legitimate software, such as CD burner, sound controller, or
even as an anti-malware security tool.
Digital forensics experts say Platinum, also
identified as TwoForOne, has been active for at least a decade, injecting
malicious code into government networks, intelligence agencies, National
Defense institutions, telecommunications companies and other large
organizations around the world, registering intense activity in the south and
east regions of Asia.
Regarding this new malware, Kaspersky Lab
experts ensure that Titanium has a complex sequence for its delivery, download
and installation on the target system, concluding this process with the
deployment of the backdoor.
Titanium is also able to bypass the detection
of almost any security tool, employing encryption, camouflage techniques and
delivering steganography-covered data via PNG images.
According to the report of the digital
forensics specialists, after the Trojan completes the infection, the final
payload is delivered and the files necessary for its execution are downloaded
using the Windows Background Intelligent Transfer Service (BITS). Communication
between the Trojan and its command and control (C&C) server is presented by
a cURL tool.
The Trojan must send a base 64-encoded request,
which contains a system ID, computer name, and hard drive serial number, to
begin the server script: “The commands will begin to be received after
setting the connection,” the experts added.
Among the main functions of this Trojan are:
any system file
any file from the system to C&C
and execution of any file
In addition, this Trojan has an ‘interactive
mode’ that allows attackers to receive inputs from the console programs and
send the outputs to the C&C.
According to experts from the International Institute
of Cyber Security (IICS) there is still no evidence of this Trojan’s activity in
the wild, although the fact that it is available on deep
web makes an attack very likely in the near future.