March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – DarkUniverse APT Framework
November 11, 2019Rewterz Threat Alert – Variant of Adwind RAT Targets Petroleum Sector
November 11, 2019Rewterz Threat Alert – DarkUniverse APT Framework
November 11, 2019Rewterz Threat Alert – Variant of Adwind RAT Targets Petroleum Sector
November 11, 2019
Severity
Medium
Analysis Summary
An APT group dubbed Platinum is using a new stealthy Trojan-backdoor malware named Titanium to infiltrate and take control of their targets’ systems. The group is known for targeting governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. Platinum apparently uses local intranet websites to deliver the malicious artifacts during the infection process or a shellcode that gets injected into a system process via a yet unknown method. The shellcode’s only purpose is of gaining an initial foothold on a target’s machine by downloading encrypted payloads from a command and control server, decrypting them, and launching the next payload in the infection chain.
After compromising a system, the malware will download the files it needs using the Windows Background Intelligent Transfer Service (BITS) service and will make use of the legitimate cURL tool to communicate with the C2 server. The received commands are steganographically hidden data within PNG files and they allow the attackers to perform a wide range of tasks including but not limited to:
• Read any file from a file system and send it to the C&C
• Drop or delete a file in the file system
• Drop a file and run it
• Run a command line and send execution results to the C&C
• Update configuration parameters (except the AES encryption key)
• Interactive mode – allows the attacker to receive input from console programs and send their output at the C&C
The APT group is possibly exploiting the vulnerability CVE-2019-13720 in Google Chrome.
Impact
- Information Theft
- Data Manipulation
- Code Execution
- System Takeover
Indicators of Compromise
Source IP
70.39.115[.]196
URL
- hxxp[:]//70.39.115[.]196/payment/confirm[.]gif?f=1
- http[:]//70.39.115[.]196/payment/confirm[.]gif
- http[:]//70.39.115[.]196/payment/confirm[.]gif?f=2
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions.