PLATINUM APT Found Using Text-based Steganography to Hide Backdoor

What is PLATINUM? Or, rather, who is PLATINUM in terms of Advanced Persistent Threat (APT) groups?

As more evidence that malware developers are using digital steganography as an advanced malware detection evasion technique, the seemingly dormant PLATINUM APT group attributed to SouthEast Asia has been found using text-based steganography to fingerprint infected systems and plant Remote Access Trojan (RAT) backdoors on those systems according to Kaspersky researchers. This text-based steganography technique uses two-different types of digital steganography that involve message encoding and hiding and a second steg technique referred to as “SNOW.”

The Steganographic Nature of Whitespace or SNOW for short, is a steganographic covert messaging technique that involves “…concealing messages in ASCII text by appending whitespace to the end of [sentence] lines” (Kwan, 2013). The technique exploits the fact that most text viewer applications do not show spaces and tabs which hide encrypted messages that are unreadable even if detected without the correct decryption key. You can download the software to perform SNOW steg here.

HTML code excerpt showing variations in tag attribute order

Essentially, hidden text is encoded and hidden directly after the HTML tags using the ‘tab’ and ‘space bar’ keys on the keyboard and the SNOW steg technique which actually decodes the hidden message and encryption key hidden in the whitespace (Osborne, 2019). The hidden whitespace message contains the RAT backdoor command and control (C2) server commands to communicate back-and-forth with the C2 server and the compromised host. This is unique method of exfilitrating data in plain sight using digital steganography and the backdoor can serve as a vehicle for all sorts of other nasty malware. For example, “Kaspersky also found a tool designed for the backdoor which is a management utility set with over 150 options and another backdoor which is able to sniff network traffic and potentially link victim systems to a P2P network” (Osborne, 2019).

Believed to have been active in the APT scene since at least 2009, PLATINUM has traditionally focused their activity on governments and government-related organizations in South Asia and Southeast Asia according to the MITRE ATT&CK framework. PLATINUM has employed Computer Network Espionage (CNE) techniques such as spearphishing attachments, process injection, hooking, credential dumping (Hello Mimikatz!), and drive-by compromise against vulnerable browser plugins. Clearly this APT group is one to watch out for, as much as one can do so in these types of events. The group likes to employ some very sophisticated and unique attack methods. This latest APT malware technique using sophisticated and unique steganography is one reason that this clever group’s activity has been able to remain seemingly dormant or appear to be laying low for so long. It also serves to demonstrate that APT groups seldomly ever just disappear and stop their activity. More likely, they change tactics, techniques, and procedures (TTPs) to obfuscate their digital trail of bits online.

The best way to defend against this type of sophisticated APT malware threat is through security awareness training for employees to avoid phishing, spearphishing, and whaling email attempts. Kaspersky also recommends employing endpoint detection and response (EDR), but one might consider adopting a zero trust security approach combined with network micro-segmentation, threat intelligence monitoring for SOC analyst teams, and some measure of “corporate-grade advanced threat detection” (WebWire, 2019).


Originally published at https://www.peerlyst.com on June 6, 2019.