The Platinum advanced persistent threat (APT) group is back with new techniques that employ steganography to hide their actions in text.
On Wednesday, Kaspersky researchers said the discovery was made while tracking hacking activity across Asian countries this month and the method of disguise, of particular interest to the team, is a "previously unseen steganographic technique to conceal communication."
Platinum came on to the scene and snagged the interest of cybersecurity researchers in 2012. The APT's campaign tends to focus on diplomatic, government and military targets.
This is not the first time that Platinum has been linked with obscure or novel attack techniques -- given the group's use of a now-deprecated feature in Windows called hotpatching in the past -- but it is the first time that steganography appears to have been used.
Steganography is a wide term used when data is hidden within other forms. In the cybersecurity realm, this could mean obscuring malicious code by sneaking it into image, audio, or video files, or in this particular case, through what appears to be legitimate text.
Kaspersky stumbled across Platinum's latest exploits by tracking what the cybersecurity firm first believed was two separate campaigns. In one, PowerShell scripts were abused to fingerprint systems for the purposes of basic data theft -- such as system information -- and in order to install backdoors to send this information to hardcoded command-and-control (C2) addresses.
The second was the existence of a backdoor implemented as a .DLL file which also worked as a WinSock NSP (Nameservice Provider) to maintain persistence.
The team connected the dots as both systems used hardcoded active hours for the malware as well as abused free hosting and domain services to establish fixed C2 addresses.
However, the second backdoor, now believed to be the second step in infection after the preliminary PowerShell infection has stolen basic PC specifications, is the most interesting element of Platinum's latest attacks. According to the researchers, the backdoor is able to hide all C2 communication by using text steganography.
The .DLL backdoor is installed through a malware dropper, installing both the backdoor and a configuration file.
Active hours are selected and when in use, the backdoor connects to the C2 and downloads an HTML page which, at first glance, appears to show the C2 is not operational.
However, this is where the steganographic technique comes into play. The HTML page actually contains embedded commands which are encrypted -- of which the key to unlock the commands is also hidden in the same page.
Placed inside an < --1234567890 > tag, the researchers say there are two techniques in play, the first of which is "based on the principle that HTML is indifferent to the order of tag attributes."
On line 31 of the page, the attributes "align", "bgcolor", "colspan" and "rowspan" are listed in alphabetical order, whereas on the following line the same attributes are listed in a different order.
If the attributes are arranged in a particular way, this means that messages can be encoded and hidden.
A second stenographic technique, known as SNOW, is then used to decode the message and encryption key. This is made possible with whitespace appended to the end of lines.
"The backdoor decodes line by line and collects an encryption key for the data, which is placed right after the HTML tags in an encoded state too," the researchers say. "The result is a list of commands to execute, protected the same way as the backdoor configuration file."
These raw commands are then extracted and executed. Not only is the backdoor able to ferry stolen data, but also download and execute additional payloads, upgrade and uninstall itself, as well as modify its own configuration file.
Kaspersky also found a tool designed for the backdoor which is a management utility set with over 150 options and another backdoor which is able to sniff network traffic and potentially link victim systems to a P2P network.
"A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and here is proof: the actors used two interesting steganography techniques in this APT," Kaspersky says. "One more interesting detail is that the actors decided to implement the utilities they need as one huge set -- this reminds us of the framework-based architecture that is becoming more and more popular."
Previous and related coverage
- Turla turns PowerShell into a weapon in attacks against EU diplomats
- APT Darkhotel deploys Hacking Team zero-day vulnerability
- BlackSquid malware uses bag of exploits to drop cryptocurrency miners
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0