PLATINUM APT Found Using Text-based Steganography to Hide Backdoor
*Note: This article was originally published by the author on June 6, 2019.
What is PLATINUM? Or, rather, who is PLATINUM in terms of Advanced Persistent Threat (APT) groups?
Platinum APT hides backdoor communication in text | ZDNet
The Platinum advanced persistent threat (APT) group is back with new techniques that employ steganography to hide their…
As more evidence that malware developers are using digital steganography as an advanced malware detection evasion technique, the seemingly dormant PLATINUM APT group attributed to Southeast Asia has been found using text-based steganography to fingerprint infected systems and plant Remote Access Trojan (RAT) backdoors on those systems according to Kaspersky researchers. This text-based steganography technique uses two different types of digital steganography that involve message encoding and hiding and a second steg technique referred to as “SNOW.”
The SNOW Home Page
The program SNOW is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces…
The Steganographic Nature of Whitespace or SNOW for short is a steganographic covert messaging technique that involves “…concealing messages in ASCII text by appending whitespace to the end of [sentence] lines” (Kwan, 2013). The technique exploits the fact that most text viewer applications do not show spaces and tabs which hide encrypted messages that are unreadable even if detected without the correct decryption key. You can download the software to perform SNOW steg here.
Essentially, hidden text is encoded and hidden directly after the HTML tags using the ‘tab’ and ‘space bar’ keys on the keyboard and the SNOW steg technique which actually decodes the hidden message and encryption key hidden in the whitespace (Osborne, 2019). The hidden whitespace message contains the RAT backdoor command and control (C2) server commands to communicate back-and-forth with the C2 server and the compromised host. This is a unique method of exfiltrating data in plain sight using digital steganography and the backdoor can potentially serve as a delivery mechanism for all sorts of other nasty malware if the attacker so chooses to use it. For example, “Kaspersky also found a tool designed for the backdoor which is a management utility set with over 150 options and another backdoor which is able to sniff network traffic and potentially link victim systems to a P2P network” (Osborne, 2019).
PLATINUM Hacking Group Returns, Using Steganography to Fly Under Security Radar
Kaspersky researchers have uncovered a highly sophisticated cyberespionage campaign aimed at stealing information from…
Believed to have been active in the APT scene since at least 2009, PLATINUM has traditionally focused its activity on governments and government-related organizations in South Asia and Southeast Asia according to the MITRE ATT&CK framework. PLATINUM has employed Computer Network Espionage (CNE) techniques such as spearphishing attachments, process injection, hooking, credential dumping (Hello Mimikatz!), and drive-by compromise against vulnerable browser plugins. Clearly, this APT group is one to watch out for, as much as is possible.
They are clearly an advanced adversary, so noticing their activity will not be easy. The group likes to employ some very sophisticated and unique attack methods. This latest APT malware technique using sophisticated and unique steganography is one reason that this clever group’s activity has been able to remain seemingly dormant or at least appear to be laying low for years. It also serves to demonstrate that APT groups seldom ever just disappear and stop their activity. There is too much to be illicitly gained to just stop cold turkey. More likely, they change tactics, techniques, and procedures (TTP) to obfuscate their digital trail of bits online.
PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets…
The best way to defend against this type of sophisticated APT malware threat is through security awareness training for employees to avoid phishing, spearphishing, and whaling email attempts. Kaspersky also recommends employing Endpoint Detection and Response (EDR). Additionally, one might consider adopting a zero-trust security approach combined with network micro-segmentation, threat intelligence monitoring for SOC analyst teams, and some measure of “corporate-grade advanced threat detection” if feasible for your organization (WebWire, 2019).