{ "id": "7d8fe2af-e3dc-4ca5-8d8f-ef4bba9a8338", "created_at": "2026-04-06T01:29:39.101907Z", "updated_at": "2026-04-10T03:35:34.322103Z", "deleted_at": null, "sha1_hash": "dbf42c71ae1bba88e9bf81e5ea9eb039cefd6dd3", "title": "Platinum is back", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 329752, "plain_text": "Platinum is back\r\nBy Andrey Dolgushev\r\nPublished: 2019-06-05 · Archived: 2026-04-06 00:33:52 UTC\r\nIn June 2018, we came across an unusual set of samples spreading throughout South and Southeast Asian\r\ncountries targeting diplomatic, government and military entities. The campaign, which may have started as far\r\nback as 2012, featured a multi-stage approach and was dubbed EasternRoppels. The actor behind this campaign,\r\nbelieved to be related to the notorious PLATINUM APT group, used an elaborate, previously unseen\r\nsteganographic technique to conceal communication.\r\nAs a first stage the operators used WMI subscriptions to run an initial PowerShell downloader which, in turn,\r\ndownloaded another small PowerShell backdoor. We collected many of the initial WMI PowerShell scripts and\r\nnoticed that they had different hardcoded command and control (C\u0026C) IP addresses, different encryption keys,\r\nsalt for encryption (also different for each initial loader) and different active hours (meaning the malware only\r\nworked during a certain period of time every day). The C\u0026C addresses were located on free hosting services, and\r\nthe attackers made heavy use of a large number of Dropbox accounts (for storing the payload and exfiltrated data).\r\nThe purpose of the PowerShell backdoor was to perform initial fingerprinting of a system since it supported a very\r\nlimited set of commands: download or upload a file and run a PowerShell script.\r\nAt the time, we were investigating another threat, which we believe to be the second stage of the same campaign.\r\nWe were able to find a backdoor that was implemented as a DLL and worked as a WinSock NSP (Nameservice\r\nProvider) to survive a reboot. The backdoor shares several features with the PowerShell backdoor described\r\nabove: it has hardcoded active hours, it uses free domains as C\u0026C addresses, etc. The backdoor also has a few\r\nvery interesting features of its own. For example, it can hide all communication with its C\u0026C server by using text\r\nsteganography.\r\nAfter deeper analysis we realized that the two threats were related. Among other things, both attacks used the\r\nsame domain to store exfiltrated data, and we discovered that some of the victims were infected by both types of\r\nmalware at the same time. It’s worth mentioning that in the second stage, all executable files were protected with a\r\nruntime crypter and after unpacking them we found another, previously undiscovered, backdoor that is known to\r\nbe related to PLATINUM.\r\nOur paper only includes a description of the two previously undiscovered backdoors while the full report is\r\navailable to customers of the Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com).\r\nSteganography backdoor\r\nThe main binary backdoor is installed with a dedicated dropper. When the dropper is run, it decrypts files that are\r\nembedded into its “.arch” section:\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 1 of 9\n\nNext, it creates directories for the backdoor to operate in and saves the malware-related files in these. It normally\r\nuses paths like those used by legitimate software.\r\nTypically, the malware drops two files: the backdoor itself and its configuration file.\r\nAfter this, the dropper runs the backdoor, installs it to enable a persistence mechanism and removes itself. The\r\nconfiguration file always has a .cfg or .dat extension and contains the following options, encrypted with AES-256\r\nCBC and encoded:\r\npr – stands for “Poll Retries” and specifies the interval in minutes after which the malware sends the C\u0026C\r\nserver a request for new commands to execute;\r\nht – unused;\r\nsl – specifies the date and time when the malware starts running. When the date arrives, the malware clears\r\nthis option.\r\nopt – stands for “Office Hours”. This specifies the hours and minutes during the day when the malware is\r\nactive;\r\ndie – stands for “Eradicate Days”. This specifies how many days the malware will work inside the victim’s\r\ncomputer;\r\nSection “p” lists malware C\u0026C addresses;\r\nSection “t” lists legitimate URLs that will be used to ensure that an internet connection is available.\r\nPersistence\r\nThe main backdoor is implemented as a dynamic link library (DLL) and exports a function with the name\r\n“NSPStartup”. After dropping it, the installer registers the backdoor as a winsock2 namespace provider with the\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 2 of 9\n\nhelp of the WSCInstallNameSpace API function and runs it by calling the WSCEnableNSProvider.\r\nAs a result of this installation, during initialization of the “svchost -k netsvcs” process upon system startup, the\r\nregistered namespace provider will be loaded into the address space of the process and the function “NSPStartup”\r\nwill be called.\r\nC\u0026C interaction\r\nOnce up and running, the backdoor compares the current time against the “Eradicate Days”, activation date and\r\n“Office Hours” values, and locates valid proxy credentials in “Credential Store” and “Protected Storage”.\r\nWhen all the rules are fulfilled, the backdoor connects to the malware server and downloads an HTML page.\r\nOn the face of it, the HTML suggests that the C\u0026C server is down:\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 3 of 9\n\nHowever, this is because of the steganography. The page contains embedded commands that are encrypted with an\r\nencryption key, also embedded into the page. The embedded data is encoded with two steganography techniques\r\nand placed inside the \u003c--1234567890\u003e tag (see below).\r\nOn line 31, the attributes “align”, “bgcolor”, “colspan” and “rowspan” are listed in alphabetical order, whereas on\r\nline 32, the same attributes are listed in a different order. The first steganography technique is based on the\r\nprinciple that HTML is indifferent to the order of tag attributes. We can encode a message by permuting the\r\nattributes. Line 31 in the example above contains four tags; the number of permutations in the four tags is 4! = 24,\r\nso the line encodes log2(24) = 4 bits of information. The backdoor decodes line by line and collects an encryption\r\nkey for the data, which is placed right after the HTML tags in an encoded state too, but using a second\r\nsteganography technique.\r\nThe image above shows that the data is encoded as groups of spaces delimited with tabs. Each group contains\r\nfrom zero to seven spaces and the number of spaces represents the next three bits of data. For example, the first\r\ngroup on line 944 contains six spaces, so it will be decoded as 610 = 1102.\r\nDecryption of the decoded data using the decoded AES-256 CBC key is a logical continuation.\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 4 of 9\n\nThe result is a list of commands to execute, protected the same way as the backdoor configuration file:\r\nRaw command data extracted from the HTML page\r\nAn interpretation of the raw commands extracted from the HTML page after decryption\r\nCommands\r\nThe backdoor that we’ve discovered supports the uploading, downloading and execution of files, it can handle\r\nrequests for a process list and directory list, upgrade and uninstall itself and modify its configuration file. Each\r\ncommand has its own parameters, e.g. the C\u0026C server that it requests to download or upload files, or split a file\r\nwhile uploading.\r\nConfig manager\r\nWhile investigating further, we found another tool that turned out to be a configuration manager – an executable\r\nwhose purpose was to create configuration and command files for the backdoors. The utility can configure more\r\nthan 150 options.\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 5 of 9\n\nFor example, below is the result of executing the showcfg command.\r\nThe second command it supports is updatecfg, whose job was to put values specified by the operator into the\r\nconfiguration file.\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 6 of 9\n\nAlso, the config manager supports Upload, Download, Execute, Search, UpdateConfig, AddKeyword,\r\nChangeKeywordFile, ChangeKey, Upgrade and Uninstall commands. After executing any of these it creates a\r\ncommand file, protected the same way as the configuration file, and stores it in the “CommandDir” directory (the\r\npath is specified in the configuration, option 11). As described in the ‘Steganography backdoor’ section, this\r\nbackdoor doesn’t handle command files and doesn’t support commands such as ChangeKeywordFile and\r\nChangeKey, so we figured that there was another backdoor, which made a pair with the config manager we had\r\nfound. Although it would appear such a utility should run on the attacker side, we found a victim infected with this\r\nand a corresponding backdoor located in the vicinity. We called it a P2P backdoor.\r\nP2P backdoor\r\nThis backdoor shares many features with the previous one. For example, many of the commands have similar\r\nnames, both backdoors’ configuration files have options with identical names and are protected the same way, and\r\nthe paths to the backdoor files are similar to legitimate ones. However, there are significant differences, too. The\r\nnew backdoor actively uses many more of the options from the config, supports more commands, is capable of\r\ninteracting with other infected victims and connecting them into a network (see the “Commands” section for\r\ndetails), and works with the C\u0026C server in a different way. In addition, this backdoor actively uses logging: we\r\nfound a log file dating back to 2012 on one victim PC.\r\nC\u0026C interaction\r\nThis backdoor has the ability to sniff network traffic. After the backdoor is run, it starts a sniffer for each network\r\ninterface, in order to detect a specially structured packet, which is sent to the victim’s ProbePort specified in the\r\nconfiguration. When the sniffer finds a packet like that, it interprets it as a request to establish a connection and\r\nsets TransferPort (specified in the configuration) to listening mode. The requester immediately connects to the\r\nvictim’s TransferPort and both sides perform additional checks, exchanging their encryption keys. Then the\r\nconnection requester sends commands to the victim, and the victim processes these interactively. This approach\r\nallows the backdoor to maintain listening mode without keeping any socket in listening mode – it only creates a\r\nlistening socket when it knows that someone is trying to connect.\r\nCommands\r\nThe backdoor supports the same commands as the steganography backdoor and implements an additional one. The\r\nbackdoor leverages the Windows index service and can search files for keywords provided by the attacker. This\r\nsearch can be initiated by an attacker request or on a schedule – keywords for a scheduled search are stored in a\r\ndedicated file.\r\nAll commands are supplied to the backdoor through command files. The command files are protected the same\r\nway as the config (see below).\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 7 of 9\n\nThis consists of a command id (id), a command date (dt), a command name (t) and arguments (cmd).\r\nThe creators of the malware also provide the ability to combine infected victims into a P2P network. This can help\r\nthe attacker, for example, when two infected victims share the same local network, but only one of them has\r\naccess to the internet. In this case, the attacker can send a command file to the unreachable victim via the\r\nreachable one. The instruction for the reachable victim that the command is intended for the other host is placed\r\ndirectly inside the command file. When the attacker prepares the file, a list of infected hosts involved in\r\ntransferring the file to the destination is included as the h1, h2, h3, etc. options. The order in which the command\r\nfile will be transferred through the victims to the destination host is included as the p1, p2, etc. options. For\r\nexample, if the p1 option equals ‘2-\u003e3-\u003e1’ and the p2 option equals to ‘2-\u003e3-\u003e4’ the command file will be\r\ndelivered to the hosts with the indexes 1 and 4 through hosts 2 and then 3. Each host is described as follows:\r\n%Host IP%:%Host ProbePort%:%Host TransferPort%.\r\nConclusion\r\nWe have discovered a new attack by this group and noted that the actors are still working on improving their\r\nmalicious utility and using new techniques for making the APT stealthier. A couple of years ago, we predicted that\r\nmore and more APT and malware developers would use steganography, and here is proof: the actors used two\r\ninteresting steganography techniques in this APT. One more interesting detail is that the actors decided to\r\nimplement the utilities they need as one huge set – this reminds us of the framework-based architecture that is\r\nbecoming more and more popular. Finally, based on the custom cryptor used by the actors, we have been able to\r\nattribute this attack to the notorious PLATINUM group, which means this group is still active.\r\nIoCs\r\nThis list includes only IoCs related to the described modules of the attack. All IoCs are available to customers of\r\nthe Kaspersky Intelligence Reporting service (contact intelreports@kaspersky.com)\r\nSteganography backdoor installer:\r\n26a83effbe14b63683f0c3e0a3f657a9\r\n4b4c3b57416c03ca7f57ff7241797456\r\n58b10ac25df04a318a19260110d43894\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 8 of 9\n\nObsolete steganography backdoor launcher:\r\nd95d939337d789046bbda2083f88a4a0\r\nb22499568d51759cf13bf8c05322dba2\r\nSteganography backdoor:\r\n5591704fd870919930e8ae1bd0447706\r\n9179a84643bd6d1c1b8e6fe0d2330dab\r\nc7fda2be17735eeaeb6c56d30fc86215\r\nd1936dc97566625b2bfcab3103c048cb\r\nd1a5801abb9f0dc0a44f19b2208e2b9a\r\nP2P backdoor:\r\n0668df90c701cd75db2aa43a0481718d\r\ne764a1ff12e68badb6d54f16886a128f\r\nConfig manager:\r\n8dfabe7db613bcfc6d9afef4941cd769\r\n37c76973a55134925c733f4f50108555\r\nSource: https://securelist.com/platinum-is-back/91135/\r\nhttps://securelist.com/platinum-is-back/91135/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://securelist.com/platinum-is-back/91135/" ], "report_names": [ "91135" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438979, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dbf42c71ae1bba88e9bf81e5ea9eb039cefd6dd3.pdf", "text": "https://archive.orkl.eu/dbf42c71ae1bba88e9bf81e5ea9eb039cefd6dd3.txt", "img": "https://archive.orkl.eu/dbf42c71ae1bba88e9bf81e5ea9eb039cefd6dd3.jpg" } }