Platinum is an advanced, persistent threat group that security researchers around the globe have been tracking since 2012. The group has made headlines more than once for their creativity and for specifically targeting government, military, and diplomatic targets. What’s interesting about Platinum’s approach is that they’ve managed to embed malicious code into what appears to be legitimate text.
The Kaspersky researchers happened across it almost by mistake, when they were tracking what they first believed to be two separate campaigns. The first being a back door that was implemented as a .DLL file that also worked as a WinSock Nameservice Provider (which is how it was able to maintain persistence). In the second, PowerShell scripts were being used to fingerprint systems for the purpose of basic data theft.
The Kaspersky team connected the dots and reached the conclusion that rather than being two separate campaigns, the backdoor disguised as a .DLL is actually the second stage in one elaborate attack. Although what Platinum’s ultimate purpose might be remains unknown at this time.
The researchers had this to say about their recent discovery:
“A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and here is proof: the actors used two interesting steganography techniques in this APT…one more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular.”
Unless you’re working in a governmental or military facility, you’re unlikely to be on Platinum’s radar. Even if you’re not, their strategies will no doubt filter out to the global community of hackers in due time. Stay vigilant.