Titanium (malware)

Last updated

Titanium Malware
Common nameTitanium
Classification Computer trojan
Author(s) PLATINUM

Titanium is a very advanced backdoor malware APT, developed by PLATINUM, a cybercrime collective. The malware was uncovered by Kaspersky Lab and reported on 8 November 2019. [1] [2] [3] [4] [5] [6] [7] According to Global Security Mag, "Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage." [2] Much of the sequence is hidden from detection in a sophisticated manner, including hiding data steganographically in a PNG image. [3] In their announcement report, Kaspersky Lab concluded: "The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. Regarding campaign activity, we have not detected any current activity [as of 8 November 2019] related to the Titanium APT." [1]

Contents

See also

Related Research Articles

Malware Portmanteau for malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive users access to information or which unknowingly interferes with the user's computer security and privacy. By contrast, software that causes harm due to some deficiency is typically described as a software bug. Malware poses serious problems to individuals and businesses. According to Symantec’s 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy 6 trillion dollars in 2021, and is increasing at a rate of 15% per year.

Timeline of computer viruses and worms Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Rootkit Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Mobile malware is malicious software that targets Kg or wireless-enabled Lff (PDA), by causing the collapse of the system and loss or leakage of confidential information. As wireless phones and PDA networks have become more and more common and have grown in complexity, it has become increasingly difficult to ensure their safety and security against electronic attacks in the form of viruses or other malware.

Kaspersky Internet Security

Kaspersky Internet Security is an internet security suite developed by Kaspersky Lab compatible with Microsoft Windows and Mac OS X. Kaspersky Internet Security offers protection from malware, as well as email spam, phishing and hacking attempts, and data leaks. Kaspersky Lab Diagnostics results are distributed to relevant developers through the MIT License.

Kaspersky Lab Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky, and Alexey De-Monderik; Eugene Kaspersky is currently the CEO. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Advanced persistent threat Set of stealthy and continuous computer hacking processes

An advanced persistent threat (APT) is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Alureon is a trojan and bootkit created to steal data by intercepting a system's network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Careto, sometimes called The Mask, is a piece of espionage malware discovered by Kaspersky Lab in 2014. Because of its high level of sophistication and professionalism, and a target list that included diplomatic offices and embassies, Careto is believed to be the work of a nation state. Kaspersky believes that the creators of the malware were Spanish-speaking.

DarkHotel is a targeted spear-phishing spyware and malware-spreading campaign that appears to be selectively attacking business hotel visitors through the hotel's in-house WiFi network. It is characterized by Kaspersky Lab as an advanced persistent threat.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

Carbanak is an APT-style campaign targeting financial institutions, that was discovered in 2014 by the Russian cyber security company Kaspersky Lab. It utilizes malware that is introduces into systems running Microsoft Windows using phishing emails, which is then used to steal money from banks. The hacker group is said to have stolen over 900 million dollars, from the banks as well as from over a thousand private customers.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced ... we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR); this view is shared by the United States. Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR. The group has been given various nicknames by other cybersecurity firms, including CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the North Korean state. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include HIDDEN COBRA and Zinc.

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Refined Kitten, Magnallium, and Holmium.

References

  1. 1 2 AMR (Anti-Malware Research), GReAT (Global Research & Analysis Team) (8 November 2019). "Titanium: the Platinum group strikes again". Kaspersky Lab . Retrieved 9 November 2019.
  2. 1 2 Staff (November 2019). "Kaspersky identifies new Titanium backdoor used for attacks by notorious Platinum group in APAC region". Global Security Mag Online. Retrieved 9 November 2019.
  3. 1 2 Goodin, Dan (8 November 2019). "One of the world's most advanced hacking groups debuts new Titanium backdoor - Malware hides at every step by mimicking common software in long multi-stage execution". Ars Technica . Retrieved 9 November 2019.
  4. Seals, Tara (8 November 2019). "Platinum APT Shines Up New Titanium Backdoor". ThreatPost.com. Retrieved 9 November 2019.
  5. Osborne, Charlie (8 November 2019). "Platinum APT's new Titanium backdoor mimics popular PC software to stay hidden - The group uses encryption, fileless technologies, and mimicry to stay under the radar". ZDNet . Retrieved 9 November 2019.
  6. Ewell, Pauline (8 November 2019). "Platinum APT Shines Up New Titanium Backdoor". MashViral.com. Retrieved 9 November 2019.
  7. Staff (9 November 2019). "'Platinum' Hacking Group Strikes Once more With Complicated Titanium Backdoor To Home windows". MarketResearchBase.com. Retrieved 9 November 2019.