A highly sophisticated cyberespionage campaign aimed at stealing information from South Asian diplomatic, government and military entities has been around for almost six years and had ties to other recent attacks detected in the region, researchers said.
The attacker behind the campaign is the PLATINUM group – a cyberespionage player thought to be no longer active. For their activity to remain unseen for such a long time, the group encoded information using a technique called steganography, said researchers at Kaspersky.
Security researchers have long warned about the dangers of steganography in threat campaigns. Steganography is the practice of transferring data in a concealed format, which disguises the very fact that data is being sent at all. This allows cyberespionage actors to remain in an infected system for a very long time without arousing any suspicion. This was the method used by the PLATINUM group, a cyberthreat collective acting against governments and related organizations in South and Southeast Asia, whose last known activity was reported in 2017.
“We have discovered a new attack by this group and noted that the actors are still working on improving their malicious utility and using new techniques for making the APT stealthier,” Kaspersky researchers said in a post. “A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and here is proof: The actors used two interesting steganography techniques in this APT. One more interesting detail is that the actors decided to implement the utilities they need as one huge set – this reminds us of the framework-based architecture that is becoming more and more popular.”
In the case of the PLATINUM operation, the malware commands ended up embedded in the HTML-code of a website. The ‘tab’ and ‘space bar’ keys on a keyboard do not change how HTML-code is reflected on a webpage, so the threat actors encoded the commands in a specific sequence of these two keys. As a result, the commands were almost impossible to detect in network traffic, as the malware merely appeared to access an unsuspicious website that was unnoticeable in overall traffic.
To detect the malware, Kaspersky researchers had to check programs capable of uploading files to a device. Among them, the experts noticed one program that acted strangely; for instance, it accessed the public cloud service Dropbox for administration, and was programmed to work only at certain times. The researchers later realized this was done to hide the malware activity among processes operating during normal working hours, when its behavior wouldn’t arouse suspicion. In fact, the downloader was exfiltrating and uploading data and files to and from the infected device.
“Throughout its known existence, PLATINUM’s campaigns have been elaborate and thoroughly crafted,” said Alexey Shulmin, security researcher at Kaspersky. “The malware used in this attack is no exception – apart from the steganography, it had other features that allowed it to fly and operate under the radar for a long time. For example, it could transfer commands not only from the command center, but also from one infected machine to another. In this way, they could reach devices that were part of the same infrastructure as the attacked devices, but which were not connected to the Internet. Seeing threat actors like PLATINUM implementing steganography is a sign that advanced persistent threats are increasing the sophistication of their methods significantly to go undetected, and security vendors should keep this in mind when developing their security solutions.”