A new and dangerous backdoor available on deep web

According to reports from digital forensics experts, the dangerous hacker group known as Platinum has announced the release of Titanium, a new backdoor Trojan that includes advanced features to control an infected computer completely.

The report, published by security firm Kaspersky Lab, mentions that this backdoor can hide from the sight of victims posing as some legitimate software, such as CD burner, sound controller, or even as an anti-malware security tool.

Digital forensics experts say Platinum, also identified as TwoForOne, has been active for at least a decade, injecting malicious code into government networks, intelligence agencies, National Defense institutions, telecommunications companies and other large organizations around the world, registering intense activity in the south and east regions of Asia.

Regarding this new malware, Kaspersky Lab experts ensure that Titanium has a complex sequence for its delivery, download and installation on the target system, concluding this process with the deployment of the backdoor.

Titanium is also able to bypass the detection of almost any security tool, employing encryption, camouflage techniques and delivering steganography-covered data via PNG images.

According to the report of the digital forensics specialists, after the Trojan completes the infection, the final payload is delivered and the files necessary for its execution are downloaded using the Windows Background Intelligent Transfer Service (BITS). Communication between the Trojan and its command and control (C&C) server is presented by a cURL tool.

The Trojan must send a base 64-encoded request, which contains a system ID, computer name, and hard drive serial number, to begin the server script: “The commands will begin to be received after setting the connection,” the experts added.

Among the main functions of this Trojan are:

  • Reading any system file
  • Sending any file from the system to C&C
  • Delivery and execution of any file
  • Updater tool

In addition, this Trojan has an ‘interactive mode’ that allows attackers to receive inputs from the console programs and send the outputs to the C&C.

According to experts from the International Institute of Cyber Security (IICS) there is still no evidence of this Trojan’s activity in the wild, although the fact that it is available on deep web makes an attack very likely in the near future.