submitted33.eee.com

PLATINUMTargetedattacksinSouthandSoutheastAsiaWindowsDefenderAdvancedThreatHuntingTeamThisdocumentisforinformationalpurposesonly.
MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.
Thisdocumentisprovided"as-is.
"Informationandviewsexpressedinthisdocument,includingURLandotherInternetwebsitereferences,maychangewithoutnotice.
Youbeartheriskofusingit.
Copyright2016MicrosoftCorporation.
Allrightsreserved.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.
TableofcontentsPLATINUM:TargetedattacksinSouthandSoutheastAsia.
4Adversaryprofile.
4Methodsofattack.
6Technicaldetails.
11Dipsind.
11JPIN15adbupd.
17Keyloggers.
18Hotpatcher.
19Miscellaneous.
20Exploit(CVE-2015-2545)20Identity22Guidance23Detectionindicators.
24PLATINUM:TargetedattacksinSouthandSoutheastAsiaMicrosoftproactivelymonitorsthethreatlandscapeforemergingthreats.
Partofthisjobinvolveskeepingtabsontargetedactivitygroups,whichareoftenthefirstonestointroducenewexploitsandtechniquesthatarelaterusedwidelybyotherattackers.
Inthepreviousvolume,"STRONTIUM:Aprofileofapersistentandmotivatedadversary,"onpage3ofMicrosoftSecurityIntelligenceReport,Volume19(January–June2015),chronicledtheactivitiesofonesuchgroup,whichhadattractedinterestbecauseofitsaggressive,persistenttacticsandtechniquesaswellasitsrepeateduseofnewzero-dayexploitstoattackitstargets.
Thissectiondescribesthehistory,behavior,andtacticsofanewlydiscoveredtargetedactivitygroup,whichMicrosofthascode-namedPLATINUM.
Microsoftissharingsomeoftheinformationithasgatheredonthisgroupinthehopethatitwillraiseawarenessofthegroup'sactivitiesandhelporganizationstakeimmediateadvantageofavailablemitigationsthatcansignificantlyreducetheriskstheyfacefromthisandsimilargroups.
AdversaryprofilePLATINUMhasbeentargetingitsvictimssinceatleastasearlyas2009,andmayhavebeenactiveforseveralyearsprior.
Itsactivitiesaredistinctlydifferentnotonlyfromthosetypicallyseeninuntargetedattacks,butfrommanytargetedattacksaswell.
Alargeshareoftargetedattackscanbecharacterizedasopportunistic:theactivitygroupchangesitstargetprofilesandattackgeographiesbasedongeopoliticalseasons,andmayattackinstitutionsallovertheworld.
Likemanysuchgroups,PLATINUMseekstostealsensitiveintellectualpropertyrelatedtogovernmentinterests,butitsrangeofpreferredtargetsisconsistentlylimitedtospecificgovernmentalorganizations,defenseinstitutes,intelligenceagencies,diplomaticinstitutions,andtelecommunicationprovidersinSouthandSoutheastAsia.
Thegroup'spersistentuseofspearphishingtactics(phishingattemptsaimedatspecificindividuals)andaccesstopreviouslyundiscoveredzero-dayexploitshavemadeitahighlyresilientthreat.
AfterresearchingPLATINUM,Microsofthasidentifiedthefollowingkeycharacteristicsofthegroupanditsactivities:PLATINUMhasconductedseveralcyberespionagecampaignssinceatleast2009.
PLATINUMfocusesonasmallnumberofcampaignsperyear,whichreducestheriskofdetectionandhelpsthegroupstayunnoticedandfocusedforalongerperiodoftime.
PLATINUMhasfocusedontargetsassociatedwithgovernmentsandrelatedorganizationsinSouthandSoutheastAsia.
PLATINUMhasusedmultipleunpatchedvulnerabilitiesinzero-dayexploitsagainstitsvictims.
Spearphishingisthegroup'smainmethodofinfectingtargetedusers'computers.
PLATINUMmakesaconcertedefforttohidetheirinfectiontracks,byself-deletingmaliciouscomponents,orbyusingserversidelogicin'oneshotmode'whereremotelyhostedmaliciouscomponentsareonlyallowedtoloadoncePLATINUMoftenspearphishesitstargetsattheirnon-officialorprivateemailaccounts,touseasasteppingstoneintotheintendedorganization'snetwork.
PLATINUMusescustom-developedmalicioustoolsandhastheresourcestoupdatetheseapplicationsoftentoavoidbeingdetected.
PLATINUMconfiguresitsbackdoormalwaretorestrictitsactivitiestovictims'workinghours,inanattempttodisguisepost-infectionnetworkactivitywithinnormalusertraffic.
PLATINUMdoesnotconductitsespionageactivitytoengageindirectfinancialgain,butinsteadusesstoleninformationforindirecteconomicadvantages.
Insomecases,thecombinationofthesemechanisms—useofundisclosedzero-dayexploits,custommalwarethatisnotusedelsewhere,PLATINUM'sskillincoveringitstracks,andothers—hasenabledthegrouptocompromisetargetsforseveralyearswithoutbeingdetected.
Targetedactivitygroupsareskilledatcoveringtheirtracksandevadingdetection,anditcanbeverydifficulttodefinitivelyassociateanactivitygroupwithaspecificnation-stateorgroupofindividuals.
Attackerscouldbepatrioticgroups,opportunisticcyberunits,state-sponsoredhackers,orintelligenceagents.
AlthoughPLATINUMcouldbelongtoanyoneoftheaforementionedcategories,thegroupshowstraitsofbeingwellfunded,organized,andfocusedoninformationthatwouldbeofmostusetogovernmentbodies.
PLATINUMhasbeentargetingitsvictimssinceatleastasearlyas2009.
MethodsofattackFigure1.
KnownvictimsattackedbyPLATINUMsince2009,bycountry/region(left)andtypeofinstitution(right)PLATINUMprimarilytargetsitsintendedvictimsusingspearphishing.
Thereisalsosomedataindicatingthegroup'susageofdrive-byattacksagainstvulnerablebrowser-plugins.
Althoughthegroup'smethodsforperformingreconnaissancetodeterminewhotopursueremainsunknown,thenumberofvictimstargetedateachaffectedinstitutionisconsistentlyverysmall.
Insomecases,thevictimsweretargetedattheirnon-officialemailaddresses,demonstratingthatthescopeofPLATINUM'sresearchcapabilitiesisfairlyextensive.
Fortheinitialinfection,PLATINUMtypicallysendsmaliciousdocumentsthatcontainexploitsforvulnerabilitiesinvarioussoftwareprograms,withlinksorremotelyloadedcomponents(imagesorscriptsortemplates)thataredeliveredtotargetsonlyonce.
Thegrouphasmadeconcertedeffortstowardsdesigningtheirinitialspear-phishesinamannerwherethefinalpayloadisonlydeliveredtotheintendedvictim.
Thegroupisknowntohaveusedanumberofzero-dayexploits,forwhichnosecurityupdateisavailableatthetimeoftransmission,intheseattempts.
(Allhavesubsequentlybeenaddressedbysecurityupdatesfromtheaffectedvendors.
)Figure2.
AtypicalluredocumentsentbyPLATINUMtoaprospectivevictimMalaysia51.
4%Indonesia21.
4%China11.
4%Singapore4.
3%India4.
3%Thailand2.
9%Other4.
3%Othergovernment31.
4%Other25.
7%ISP24.
3%Gov't-Defense7.
1%Gov't-Diplomatic7.
1%Gov't-Intelligence2.
9%Academic1.
4%Luredocumentsaretypicallygiventopicalnamesthatmaybeofinteresttotherecipient.
Suchluresoftenaddresscontroversialsubjectsorofferprovocativeopinions,inanefforttoincitethereaderintoopeningthem.
Figure3showsasampleofsuchtitles.
Figure3.
ExampledocumenttitlesusedbyPLATINUMtodeliverexploitsSHA1Filenamee9f900b5d01320ccd4990fd322a459d709d43e4bGambargambarRumahGayDidietPrabowodiSentulBogor.
doc9a4e82ba371cd2fedea0b889c879daee7a01e1b1TherealreasonPrabowowantstobePresident.
doc92a3ece981bb5e0a3ee4277f08236c1d38b54053MalaysiaavictimofAmericanirregularwarfareops.
doc0bc08dca86bd95f43ccc78ef4b27d81f28b4b769TuViNamTanMao2011.
docf4af574124e9020ef3d0a7be9f1e42c2261e97e6Indianshavingfun.
docThesedocumentsweresenttointendedvictimsinVietnam,Indonesia,India,andMalaysia,andthefilenamescontainreferencestocities,politicians,andcurrenteventsinthoselocations.
TheoldestconfirmedPLATINUMexploitwasnamed"ThecorruptionofMahathir,"adocumentthatwastransmittedin2009referencingtheformerprimeministerofMalaysia,MahathirMohamad.
Figure4.
TheoldestconfirmedluredocumentsentbyPLATINUM,in2009PLATINUM'srecentactivitiesremainfocusedontacticssuchasthese.
InFebruary2016,PLATINUMwasobservedusingalegitimatewebsitededicatedtonewsabouttheIndiangovernment,asaninfectionvector.
Thissite,whichisnotassociatedwiththeIndiangovernmentitself,alsoprovidesafreeemailserviceforitsusers,givingthememailaddresseswiththesite'sowndomainname.
PLATINUMsentspearphishingmessagestousersoftheservice,whichincludedsomeIndiangovernmentofficials.
Afterinfectinganunsuspectinguserthisway,theattackershadcompletecontroloftheuser'scomputeranduseditasasteppingstoneintotheofficialnetworktowhichtheuserbelonged.
Figure5.
PLATINUMusedaprivatewebmailservicetoinfectagovernmentnetworkPLATINUM'sapproachtowardexploitingvulnerabilitiesvariesbetweencampaigns.
Inonecasefrom2013,thetargetwassentamaliciousdocumentthroughaspearphishingemailmessage.
1Thedocument,whenopened,usedanembeddedActiveXcontroltodownloadaJavaScriptfilefromaremotesitethatusedapreviouslyunknownvulnerabilityinsomeversionsofWindows(laterdesignatedCVE-2013-7331)toreadinformationaboutthebrowser'sinstalledcomponents.
21MicrosoftthanksGoogleforidentifyingandreportingthisattack.
2MicrosoftissuedSecurityBulletinMS14-052inSeptember2014toaddresstheissue.
CVE-2013-7331hasneveraffectedWindows10.
Figure6.
MaliciousWord2003filesusedbyPLATINUMtodeliverCVE-2013-7331FilenameSHA1URLforPNGExploitGerakanAntiSBYII.
doc1bdc1a0bc995c1beb363b11b71c14324be8577c9mister.
nofrillspace.
com/users/web8_dice/4226/space.
gifTu_Vi_Nam_Tan_Mao_2011.
doc2a33542038a85db4911d7b846573f6b251e16b2dintent.
nofrillspace.
com/users/web11_focus/3807/space.
gifWikileaksIndonesia.
docd6a795e839f51c1a5aeabf5c10664936ebbef8eamister.
nofrillspace.
com/users/web8_dice/3791/space.
gifTop11AerialSurveillanceDevices.
docf362feedc046899a78c4480c32dda4ea82a3e8c0intent.
nofrillspace.
com/users/web11_focus/4307/space.
gifSEMBOYAN_1.
docf751cdfaef99c6184f45a563f3d81ff1ada25565www.
police28122011.
0fees.
net/pages/013/space.
gifFigure7.
MaliciousJavaScriptusedbyPLATINUMtoperformfingerprintingonavictim'sbrowserWhilefingerprintingtheversionsofthebrowserplugins,thescriptloadsaremotelyhostedmaliciousPNGfilethatexploitedanotherpreviouslyunknownvulnerability(designatedCVE-2013-1331),whichaffectedMicrosoftOffice2003SP3.
3Exploitingthevulnerabilityresultedinmemorycorruption,whichallowedtheattackertoexecuteremotecodeonthecomputer.
Figure8.
AnexploitmechanismusedbyPLATINUMAlsoacombinationofluredocumentswiththeaforementionedembeddedActiveXcontrolwasseenalongwithaDipsindexecutablenamedas'pp4x322.
dll'duringadifferentattack.
TheuniquenameofthisexecutableindicatedapossibleDLLside-loadingvulnerabilityalsobeingusedbyPLATINUMagainstPowerpoint2007.
InanothercasefromAugust2015,Microsoftinvestigatedamaliciousdocument(namedResume.
docx)thathadbeenuploadedtotheVirusTotalmalwareanalysisservice.
4Thepersonwhosubmittedthefile3MicrosoftissuedSecurityBulletinMS13-051inJune2013toaddresstheissue.
4MicrosoftthanksFireEyeforidentifyingandreportingthisattack.
didsothroughanIPaddressbasedinIndia,suggestingthatthepersonortheirorganizationhadbeentargetedbythespearphishdocument.
Figure9.
AmaliciousWorddocumentusedbyPLATINUMtotargetavictimWhenthedocumentwasopenedinWord,itexploitedapreviouslyunknownvulnerabilityintheMicrosoftOfficePostScriptinterpreter(designatedCVE-2015-2545)thatenabledittoexecutetheattacker'scodeanddropanattacker-generatedmaliciousDLLontothecomputer.
5TheDLLexploitedanotherpreviouslyunknownvulnerability(designatedCVE-2015-2546)intheWindowskernel,whichenabledittoelevateprivilegesfortheWordexecutableandsubsequentlyinstallabackdoorthroughtheapplication.
6ResearchingthisattackandthemalwareusedthereinledMicrosofttodiscoverotherinstancesofPLATINUMattackingusersinIndiaaroundAugust2015.
Figure10.
AnotherexploitmechanismusedbyPLATINUM5MicrosoftissuedSecurityBulletinMS15-099inSeptember2015toaddresstheissue.
Windows10isnotaffectedbytheexploitusedinthiscaseduetobuilt-inmitigations.
6MicrosoftissuedSecurityBulletinMS15-097inSeptember2015toaddresstheissue.
Intotal,PLATINUMmadeuseoffourzero-dayexploitsduringthesetwoattackcampaigns(tworemotecodeexecutionbugs,oneprivilegeescalation,andoneinformationdisclosure),showinganabilitytospendanon-trivialamountofresourcestoeitheracquireprofessionallywrittenzero-dayexploitsfromunknownmarkets,orresearchandutilizethezero-dayexploitsthemselves.
Inboththesecampaignstheactivitygroupincludedremotetriggerstodeactivateexploitation,withanattempttoconcealthevulnerability,andpreventanalysisoftheattack.
Theresourcesrequiredtoresearchanddeploymultiplezero-dayexploitswithinthesameattackcampaignareconsiderable.
Suchactivityrequiresasignificantamountofinvestmentinresearchanddevelopment,alongwiththedisciplinetoensurethattheexploitsarenotuseduntiltheappropriatetime,andthatnooneinvolvedwiththeprojectleaksthemtootherparties.
TechnicaldetailsAftergainingaccesstoavictim'scomputer,PLATINUMinstallsitsowncustom-builtmalwaretocommunicatewiththecompromisedsystem,issuecommands,andmovelaterallythroughthenetwork.
Thewidecollectionofbackdoorsandtools,andthedifferencesbetweenthem,suggesttheinvolvementofmultipleteamsorvendorsinthedevelopmentprocess.
Thissectiondescribessomeofthetoolsusedbythegroup.
DipsindPLATINUMusesanumberofdifferentcustom-developedbackdoorstocommunicatewithinfectedcomputers.
Thelackofanysignificantevidenceofsharedcodebetweenanyofthesebackdoorfamiliesisanotherclueastothescopeoftheresourcesonwhichtheactivitygroupisabletodraw,andtheprecautionsthegroupiswillingandabletotakeinordertoavoidlosingitsabilitytoconductitsespionageoperations.
Thegroup'smostfrequentlyusedbackdoorsbelongtoamalwarefamilythatMicrosofthasdesignatedDipsind,althoughsomevariantsaredetectedunderdifferentnames.
MultipleDipsindvariantshavebeenidentified,allofwhicharebelievedtobeusedexclusivelybyPLATINUM.
Thefirstvariant,Win32/Dipsind.
A!
dha,isalightweightapplicationprovidingbackdooraccesstoremoteattackers.
Itcanbecustomizedforeveryvictimtoensurethatitremainsundetectedintargetednetworks.
Itsupportsasmallsetofinstructionsthatallowtheattackertoperformbasicfunctions,suchasuploadingordownloadingfilesandspawningremoteshells.
PLATINUMusedfourzero-dayex-ploitsduringthesetwocampaigns.
Figure11.
SampleconfigurationfileforWin32/Dipsind.
AEachDipsindfilecontainsanembeddedencryptedconfigurationfilethatactsasacontrolforthebackdoor.
Thisconfigurationfilealsoincludestheinitialcommandandcontrol(C&C)locationtheDipsindbackdoorusesinadditiontothepollcommandsitevariablewhichreferencesaURLwhereadditionalbackupC&Cscanbepolled.
ConfigurableparametersincludeinstructionsonwhereDipsindshouldinstallacopyofcmd.
exeforspawningaremoteshell,dependingontheuser'sprivileges,thehoursduringwhichthebackdoorshouldfunction,andexfiltrateinformation.
Thiscapabilityallowsthebackdoortoconfineitsactivitiestonormalworkinghours,makingitscommunicationshardertodistinguishfromnormalnetworktraffic.
DipsindhasbeenobservedusingacombinationofIPaddressesanddomainsforitsC&Cinfrastructure.
ThedomainsareamixofregistereddomainsandfreesubdomainsobtainedthroughdynamicDNSproviders.
CollecteddatashowedthatavastmajorityofvictimnetworksallowedunfilteredaccesstothedynamicDNShosts.
Thehostsanddomainsarehostedoncompromisedinfrastructurebasedinseveraldifferentcountries,somewithinacademicinstitutions.
Insomecases,thebackdoorsareconfiguredtoconnecttoIPaddressesinsteadofdomainnames.
Thesefactorsmakeitchallengingtolocatetheactivitygroup'sinfrastructure.
Figure12showsasamplingofC&CinfrastructureusedbyPLATINUMbetween2009and2015.
Figure12.
SomeofthedomainsandaddressesusedbyPLATINUMRegistereddomainsDynamicDNSHardcodedIPsbox62.
a-inet.
neteclipse.
a-inet.
netjoomlastats.
a-inet.
netupdates.
joomlastats.
co.
ccserver.
joomlastats.
co.
ccscienceweek.
scieron.
commobileworld.
darktech.
orggeocities.
efnet.
atbpl.
blogsite.
orgwiki.
servebbs.
net200.
61.
248.
8209.
45.
65.
163190.
96.
47.
9192.
192.
114.
161.
31.
203.
98AfterDipsind.
Aisinstalledonthevictim'scomputer,itconnectstoitsC&Cserverforauthentication.
AllnetworktrafficisoverHTTP,base64encoded,withtheunderlyingdataencryptedusingAES256inECBmode.
Authenticationisafive-stepprocess,asshowninthefollowingfigure:Figure13.
Win32/Dipsind.
Ainitialcommunicationprotocol(asdecrypted)AnalysisofseveralsamplesofthisvariantshowexactlythesameAESkey(AOPSH03SK09POKSID7FF674PSLI91965)inusesince2009.
TheinitialHTTPPOSTmadebythisbackdoorappearsas"ud7LDjtsTHe2tWeC8DYo8A**",whichtranslatestoasimplewhitespace.
Thissequencemakesasimplenetworkindicatorusablebydefenders.
AsecondDipsindvariantregistersasaWinlogonEventNotifyDLL.
ThisbackdoorcontainsaminimizedfeaturelistfromtheoriginalDipsindvariant,andsupportsamorelimitednumberofcommands.
ItsetsthefollowingregistrykeysintheHKEY_LOCAL_MACHINEhiveforpersistenceandfunctionality:SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Cscdll32\AsynchronousSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Cscdll32\DllNameSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Cscdll32\ImpersonateSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Cscdll32\StartupSOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\Cscdll32\shutdownSOFTWARE\Microsoft\Windows\CurrentVersion\Run\cscdll32Thereareatleasttwoadditionalminorversionsofthisvariant,eachofwhichshowimprovementsincommandimplementation.
Oneinterestingfeatureofthisvariantisthewayitimplementsamechanismsimilartoportknockingtoallowremoteattackerstoconnecttoacompromisedcomputerwithoutleavinganyconnectionopenfortoolong.
Thesequenceofeventsisasfollows:1.
Thebackdoorisinstalledviaanexploit.
2.
ThebackdoorsetsaregistrykeytoopenaspecificUDPportthroughthelocalfirewall,ifany,andlistenstotheportforincomingtraffic.
3.
Ataremotelocation,theattackerexecutesatool(calledPK2here,althoughtheactualnameofthetoolisunknown)usingthefollowingparameters:Pk2.
exewheretheIPaddressisthatofthecomputerwiththebackdoor,theUDPportistheonespecifiedbythebackdoor,andthepasswordisastringencryptedbythetoolbeforebeingsent.
4.
ThebackdoorreceivestheUDPpackets,andthencheckstoseeifthepasswordisvalid.
5.
Ifthepasswordisindeedvalid,thebackdoorwillwaitforexactly20secondsandonlythenopenthePK2specifiedTCPportforawindowof3seconds.
Figure14.
HowtheDipsindknockercomponentcommunicateswithanattackerPK2isalsodesignedtoconnecttosuchopenTCPportsandactasaconsoleclientforissuingcommandstothebackdoor.
WhenrunningPK2asaconsoleclient,theattackerneedstore-enterthepasswordtoauthenticateasecondtimeagainstthebackdoor,andissuecommandssuchas#sztouploadafileand#rztodownloadafile.
Duringthisresearch,onesuchcollectionoftoolswasobtainedthathadthepasswordsetto"t@ng0p@ss".
AllcommunicationusedbythisbackdoorandPK2isencrypted.
IfaconnectionfromPK2isnotreceivedwithinthe3-secondwindow,theTCPportisshutandPK2wouldneedtoreinitializetheport-knockingprocess.
JPINInadditiontoDipsindanditsvariants,PLATINUMusesafewotherfamiliesofcustom-builtbackdoorswithinitsattacktoolset.
Thesefamiliesofbackdoorsaresignificantlydifferentintheircapabilitiesandhavecompletelydifferentcodebases.
Whileonefamilyreliesonasmallnumberofsupportedcommandsandsimpleshells,theotherdelvesintomoreconvolutedmethodsofinjections,checks,andsupportedfeaturesets.
Microsoftresearchersrefertoonesuchsetofbackdoorvariantscollectivelyas"JPIN,"whichisthenameofaserviceituseswheninstalled.
JPINisacomprehensivetoolforexecutingandextractinginformationfromthecompromisedcomputer.
ThereisstrongevidencetosuggestthatthedevelopersoftheJPINandDipsindcodebaseswereinsomewayrelated.
JPINhasitsowninstalleranduninstallercomponent,whichdeletesitselfwhenitencountersaversionofWindowsearlierthanWindowsXP,orfindsanyofthesesecurity-relatedprocessesrunning:Figure15.
Security-relatedprocessesavoidedbytheJPINinstallerProcessSecurityproduct360tray.
exe360Safeguardbdagent.
exeBitDefenderproguard.
exeProcessGuardblackd.
exeBlackICEblackice.
exeBlackICEsavservice.
exeSophosAnti-Virusavp.
exeKasperskyAnti-Virusrstray.
exeRisingAnti-viruscmccore.
exeCMCAntiviruscmctrayicon.
exeCMCAntiviruszhudongfangyu.
exe360SafeguardAfterinstallingthebackdoor,theinstallerdeletesitselffromthecompromisedcomputer.
PLATINUMusesatleastthreedistinctJPINvariants.
Onevarianttypicallyrunswithamutexnamed"hMSVmm"andinstallsitselfinthefolders%appdata%\Comm\Jpinand%userprofile%\AppData\Resource\Jpin.
Afteritisinstalledandstarted,theJPINservicecanperformthefollowingtasks,amongothers:Obtaininformationaboutthecomputer,suchasoperatingsystemversion,username,privileges,diskspace,andsoon.
Listrunningservices,processes,jobIDs,andtaskIDs.
Enumeratedrivesandtheirtypes.
Enumerateregistrykeys.
Loadacustomkeylogger.
Downloadfiles.
Downloadandupgradeitself.
AcquirenetworkinformationsuchasDNS,IP,proxies,andsoon.
ExfiltrateinformationoverHTTPGETandPOSTrequests,withthedatastoredeitherwithintheHTTPbodyorwithintheURLparameters.
Lowersecuritysettingsbytamperingwithregistrykeys.
Injectcontentintothelsass.
exeprocess,inordertoloadthekeyloggermoduleintolsassandcallitsexportedfunction.
CommunicateviaFTP.
SendemailviaSMTP.
Changepermissionsonfilesusingthecacls.
execommand-lineutility.
JPINcanalsotargetmobilesuiteapplicationsandextractdatafromthem.
ThebackdoorcontainscodethatlooksforinstalledinstancesofSymbian,Blackberry,andWindowsPhonemanagementapplications.
Ifanyarefound,thebackdoorlogssyncdates,IMEIdata,phonemanufacturerandmodelinformation,softwareversiondate,memory,location,andcapacity,amongotherthings.
ThesecondJPINvariantisverysimilartothefirstone.
ItdownloadsthebackdoorpayloadfromremotelocationsviatheBITSservice,usingtheCOMobjectforBITS.
Thisvariantalsohasitsowninstalleranduninstallercomponent,whichdeletesitselfwhenitencountersaversionofWindowsearlierthanWindowsXP,orfindsanyoftheprocesseslistedinFigure15running.
ThethirdknownvariantdoesnotcheckfortheprocesseslistedinFigure15.
Itusesaninstallercomponentthatincludesthebackdooraspayloaddisguisedasabitmapwithinitsresourcesection.
Thepayloadisinanencryptedandcompressedform,disguisedtoavoidanysuspicionfromsecuritysolutions.
Thisvarianthasbeenseeninstallingitselfintothefollowingfilesystempaths:%appdata%\Java\support%appdata%\support%userprofile%\AppData\Local\Java\Support%userprofile%\AppData\Local\SupportadbupdAnotherbackdoorusedbyPLATINUMisverysimilartotheDipsindfamily.
ItisinformallyreferredtointernallyatMicrosoftas"adbupd",whichisthenameoftheserviceunderwhichitisinstalled.
Salientfeaturesofthisbackdoorincludethefollowing:IttriestoinstallitselfunderseveraldifferentnameswithintheProgramFilesdirectoryIthastheabilitytosupportplug-instomodularizefunctionalityItcontainsacopyoftheOpenSSLlibrarytosupportencryptionwhensendingorreceivingdataItcontainsfunctionalitytorunacopyofcmd.
exeTheconfigurationfileisverysimilartotheoriginalDipsindfamilyThisbackdoorclassusesmultiplemethodsofachievingpersistence,oneofwhichisusingWMI/MOFcompiledscripts,suchastheoneshowninFigure16.
JPINcantargetmobilesuiteappli-cationsandextractdatafromthem.
Figure16.
WMIscriptusedbytheAdpupdbackdoortoachievepersistence#pragmanamespace(ROOT\\cimv2")instanceof__Win32Provideras$P{Name="adbupdConsumer";ClsId="{74ba9ce4-fbf1-4097-32b8-34f446f037d8}";HostingModel="LocalSystemHost";};instanceof__EventConsumerProviderRegistration{Provider=$P;ConsumerClassNames={"adbupdConsumer"};};classadbupdConsumer:__EventConsumer{[key]stringMode;};instanceofadbupdConsumeras$CONSMR{Mode="persistent";};instanceof__EventFilteras$FLT{Name="adbupdFilter";Query="SELECT*FROM__InstanceCreationEventWHERETargetInstanceISA\"Win32_NTLogEvent\"";QueryLanguage="WQL";};instanceof__FilterToConsumerBindingas$B{Consumer=$CONSMR;Filter=$FLT;};KeyloggersThePLATINUMgrouphaswrittenafewdifferentversionsofkeyloggersthatperformtheirfunctionsindifferentways,mostlikelytotakeadvantageofdifferentweaknessesinvictims'computingenvironments.
Thekeyloggerscanbebroadlyclassifiedintotwogroups:thosethatlogkeystrokesthroughrawdeviceinput,andusermodekeyloggersthatuseWindowshookinterfacestogatherinformation.
Inparticular,thissecondgroupalsohasthecapabilityofdumpingusers'credentialsusingthesametechniqueemployedbyMimikatz.
BothgroupscansetpermissionsonspecificfilestoEveryone,andworkintandemwiththePLATINUMbackdoors.
HotpatcherOneofPLATINUM'smostrecentandinterestingtoolsismeanttoinjectcodeintoprocessesusingavarietyofinjectiontechniques.
Inadditiontousingseveralpubliclyknowninjectionmethodstoperformthistask,italsotakesadvantageofanobscureoperatingsystemfeatureknownashotpatching.
Hotpatchingisanoperatingsystem-supportedfeatureforinstallingupdateswithouthavingtorebootorrestartaprocess.
Atahighlevel,hotpatchingcantransparentlyapplypatchestoexecutablesandDLLsinactivelyrunningprocesses,whichdoesnothappenwithtraditionalmethodsofcodeinjectionsuchasCreateRemoteThreadorWriteProcessMemory.
Instead,thekernelisinstructedtoperformtheinjectionbyinvokingNtSetSystemInformation(withanappropriateSystemInformationClass)toapplythepatch.
TheinformationaboutthepatchisdeliveredviaaspeciallycraftedDLLthatisloadedintothetargetprocess.
ThehotpatchingfeatureoriginallyshippedwithWindowsServer2003andwasusedtoship10patchestoWindowsServer2003.
ItwasremovedinWindows8andhasnotbeenincludedinsubsequentreleasesofWindows.
PLATINUMappearstobelievethatenoughoftheirtargeteduserscontinuetoruntheearlierversionsofWindowstomakethetechniqueausefultool,atleastuntilearly2017(seepage20).
ThetechniquePLATINUMusestoinjectcodeviahotpatchingwasfirstdocumentedbysecurityresearchersin2013.
7Administratorpermissionsarerequiredforhotpatching,andthetechniqueusedbyPLATINUMdoesnotattempttoevadethisrequirementthroughexploitation.
Rather,thecomponent'suseofthehotpatchingfeatureappearstobeawaytoavoidbeingdetected,asmanyantivirussolutionsmonitornon-systemprocessesfortheregularinjectionmethodssuchasCreateRemoteThread.
Ifthetoolfailstoinjectcodeusinghotpatching,itrevertstoattemptingtheothermorecommoncodeinjectiontechniquesintocommonWindowsprocesses,primarilytargetingwinlogon.
exe,lsass.
exeandsvchost.
exe:CreateRemoteThreadNtQueueApcThreadRtlCreateUserThreadNtCreateThreadExThehotpatchingcomponentperformsthefollowingsteps:1.
ItpatchestheloaderwithaproperhotpatchtotreatinjectedDLLswithexecutepagepermissions.
ThisstepisrequiredforDLLsloadedfrommemory(inanattempttofurtherconcealthemaliciouscode).
7AlexIonescu,"HotpatchingtheHotpatcher:StealthFile-lessDLLInjection,"SyScan2013,https://www.
yumpu.
com/en/document/view/14255220/alexsyscan13/23.
2.
ThebackdoorisinjectedintosvchostusingthehotpatchAPI.
Patchingtheloaderisdonebycreatingasectionnamed\knowndlls\mstbl.
dll.
ThisDLLdoesnotresideondisk,butisrathertreatedasacachedDLLbythesessionmanager.
ItthenproceedstowriteaPEfilewithinthatsection.
3.
ThePEfilewillhaveonesection(.
hotp1)withthehotpatchheaderstructure.
Thisstructurecontainsalltheinformationnecessarytoperformthepatchingoffunctionntdll!
LdrpMapViewOfSection,whichwillcausetheloadertotreatcreatedsectionsasPAGE_EXECUTE_READWRITEinsteadofPAGE_READWRITE.
ThepatchissuccessfullyappliedbyinvokingNtSetSystemInformation.
4.
Afterthememorypermissionissueissolved,theinjectorproceedstoinjectthemaliciousDLLintosvchost.
Again,itcreatesa(nowexecutable)sectionnamedknowndlls\fgrps.
dllandinvokesNtSetSystemInformation,whichcausesthefinalpayloadtobeloadedandexecutedwithinthetargetprocess(svchost).
5.
ThemalicioushotpatchingcomponentappearstohaveanexpirationdateofJanuary15,2017.
Afterthatdate,theDLLwillnolongerperformtheinjection,butratherexecuteanotherPLATINUMimplant(C:\ProgramFiles\WindowsJournal\Templates\Cpl\jnwmon.
exe–ua),whichmayberelatedtoanuninstallroutine.
(ThecomponenthasnotbeenobservedinusesinceMarch9,2016,whichmayindicatethatPLATINUMhaschosentostopusingitearlierthantheconfiguredexpirationdate.
)MiscellaneousFinally,thePLATINUMgroupalsousessmallsingle-purposeapplicationsthatduplicatesomeofthefunctionalityofthebackdoors.
Acoupleofexamplesare:Astand-alonepersistencetoolthattakesotherfilesasinputandensurespersistenceacrossreboots.
Astand-aloneloaderthatrunsanotherexecutable.
IthassomeexportedfunctionswhosenamescanbeusedinDLLfilesinstalledasLSApasswordfilters,butsuchfunctionsarebasicallyemptyandthereisnoknownevidencethatthistoolwaseverusedinthisway.
Onthewhole,thisDLLlookslikeatest,suggestingthattheattackersmayhaveresearchedandpossiblyimplementedvariantsoftheirmalwarethatcanbeinstalledasLSApasswordfilters.
Exploit(CVE-2015-2545)CVE-2015-2545isause-after-freevulnerabilityintheembeddedPostScriptfilterofMicrosoftOffice.
8TheexploitwascraftedinPostScriptandisabletobypassAddressSpaceLayoutRandomization(ASLR)andDataExecutionPrevention(DEP).
8MicrosoftissuedSecurityBulletinMS15-099inSeptember2015toaddresstheissue.
ThisvulnerabilityallowedtheattackertoforgeaCAssocstructure,showninFigure17,andsoalsoindirectlythePSObjsinthestructure.
ThePostScriptinterpreterdeciphersthevaluefield(Val)basedonthetypefield(m_type),whichareundercompletecontroloftheattacker.
Havingdevelopedthistechnique,theattackerwillcraftanduseacombinationoffile,string,andintegerobjectstogainareliablearbitrarycodeexecution.
Figure17.
MemorylayoutofCSssocstructureanditsembeddedPSObjsRootcause:TheattackerdefinedinPostScriptadictionarywiththreeelements,whichleadstoanallocationofthreeCAssocstructuresinPSTMap.
WithinaForallloop,thelasttwoelementsareundefinedandastringisinitialized.
ThePostScriptstatementresultsinadeallocationofthelasttwoCAssocstructuresandthestringgetsallocatedinthepreviouslyfreedmemoryaddress.
ThePostScript-putoperandisusedtofillthestringwithdatatomimicaCAssocstructure.
Bysettingthehashtableindexto0x3ff,theloopwillexitbecausethehashtableatthattimehasamax-sizeof0x400.
Uponexitingtheloop,areferencewillbereturnedtothesecondaryelement,whichistheforgedstructure.
Figure18.
ReusageofdeallocatedMemorybyaforgedCAssocStructureAcquirefullmemoryRWaccess:ThedescribedmethodisusedtocraftaPSStringobjectinwhichthelengthofthestringissettoamaximumvalue.
Asaresult,theexploitcanusePostScriptmethodstosearchforROPgadgetstodynamicallyassembleaROPshellcode.
Figure19.
GetintervalmethodofPSStringisusedtofindROPgadgetsThepurposeofthisapproachistocallVirtualProtecttosetthepagesofthesecond-stageshellcodeasexecutable.
Asaresult,DEPandASLRarebypassed.
Arbitrarycodeexecution:ToredirectcodeexecutiontotheROPchain,theexploitcraftsaPSFileObjectinwhichthevtableiscontrolledbytheattacker.
BycallingthebytesavailablemethodwithinthePostScriptcode,arbitrarycodeexecutionisachieved.
IdentityAlthoughtheexactidentityofPLATINUMremainsunknown,thetechnicalindicatorsobservedsofarcanhelpcreateaprofileoftheattacker.
Usageofmultiplebackdoors.
Thedifferentbackdoorswrittenbyorforthegroupindicateaconsiderableinvestmentovertime.
ResearchindicatesthatPLATINUMhasusedmultiplebackdoorsconcurrentlyattimes,whichcouldrepresenteithermultipleteamswithintheactivitygroupperformingdifferentcampaigns,ordifferentversionsofthetoolsbeingusedagainstvaryingvictimnetworks.
Zerodayexploits.
PLATINUMhasusedseveralzero-dayexploitsagainsttheirvictims.
Regardlessofwhethertheyresearchedtheexploitsthemselvesorpurchasedthemfromindependentresearchers,themonetaryinvestmentrequiredtocollectanddeployzero-dayexploitsatthislevelisconsiderable.
Victimgeography.
Moreoftenthannot,researchintotargetedattacksshowsactivitygroupsbecomingopportunisticandattackingtopicaltargets;thatis,targetsconsideredvaluablebasedonthegeopoliticaleventsoftheyear.
PLATINUMhasconsistentlytargetedvictimswithinasmallsetofcountriesinSouthandSoutheastAsia.
Inaddition,thevictimsareconsistentlyassociatedwithasmallsetofentitiesthataredirectlyorindirectlyconnectedtogovernments.
Tools.
SomeofthetoolsusedbyPLATINUM,suchastheport-knockingbackdoor,showsignsoforganizedthinking.
PLATINUMhasdevelopedorcommissionedanumberofcustomtoolstoprovidethegroupwithaccesstovictimresources.
ThisbehaviorexhibitsPLATINUM'sabilitytoadapttovictimnetworks,whichisfurtherevidenceofthegroup'sconsiderableresourcesfordevelopmentandmaintenance.
Themonetaryin-vestmentrequiredtocollectanddeployzero-dayexploitsatthislevelisconsiderable.
Anyofthesetraitsbythemselvescouldbetheworkofasingleresourcefulattackerorasmallgroupoflike-mindedindividuals,butthepresenceofallofthemisaclearindicationofawell-resourced,focused,anddisciplinedgroupofattackersvyingforinformationfromgovernment-relatedentities.
GuidancePLATINUMisanextremelydifficultadversaryfortargetedorganizationstodefendagainst.
Itpossessesawiderangeoftechnicalexploitationcapabilities,significantresourcesforresearchingorpurchasingcomplicatedzero-dayexploits,theabilitytosustainpersistenceacrossvictimnetworksforyears,andthemanpowertodevelopandmaintainalargenumberoftoolstousewithinuniquevictimnetworks.
Theirabilitytoresearchtheirvictimspriortotargetingthem,alongwiththecapabilitytoarchitectexploitsthatonlyworkonceorforashortperiodoftime,makesitverydifficulttoinvestigateortracktheiractivities.
Thatsaid,therearestepsthatorganizationscantaketoreducethelikelihoodofPLATINUMconductingsuccessfulattacksagainsttheiremployeesandnetworks.
TakeadvantageofnativemitigationsbuiltintoWindows10.
NewerversionsofWindowsincludecriticalmitigationsthatrendersomeofPLATINUM'sexploitsineffectivewhendeployed.
Forexample,thesummer2015attackthatusedtheunusual'resume'wouldnothavebeensuccessfulonWindows10as-isbecauseofthepresenceoftheSupervisorModeExecutionPrevention(SMEP)mitigation,evenwithoutthelatestsecurityupdatesinstalled.
EvenifCVE-2015-2546affectedWindows10,theexploitationwouldhaverequiredmuchmoretechnicalprowesstosucceed;ultimately,SMEPmakesitmoredifficultforattackers.
Thehookingandin-memorypatchingtechniquesusedbythemalicious'hotpatcher'componentarealsonoteffectiveagainstnewerversionsofWindows.
Applyallsecurityupdatesassoonastheybecomeavailable.
Microsoftdeeplyresearcheseachsecurityissue,proactivelyaddressestheflaw,andmitigatestheattacksurfacearoundtheaffectedcomponent(s).
Forexample,onezero-dayvulnerabilityexploit(CVE-2015-2545)usedbyPLATINUMwasaddressedimmediatelyinSeptember2015.
Subsequently,inNovember,Microsoftalsoreleasedaproactivesecurityupdateforthesamecomponentthatendedupmitigatingotherexploitssurfacingin-the-wildafterthefirstattack.
CustomerswhoappliedthesecurityupdatesinNovemberwithoutdelaywouldhavebeenprotectedagainstthesecondwaveofexploits.
Suchmeasuresofhardeningtheunderlyingapplicationhappenoften.
MS09-017isyetanotherexample,inwhichinstallationofnewlyavailablesecurityupdatessignificantlyreducedtheattacksurface.
Considerdisablingfeatures,suchasEPSormacros,inpowerfulproductslikeMicrosoftOfficebyusingGroupPolicy.
Notallorganizationsfindtheneedtoenableallfeatures.
Forexample,inthePLATINUMattackcampaignthatusedCVE-2015-2545,anetworkinwhichOfficeEPSwasdisabledwouldnothavebeenaffected.
Enterprisenetworksshouldsegregatehighbusinessimpact(HBI)data-holdingsegmentsfromInternet-connectednetworks.
Sharingofremovablemediabetweentheseair-gappednetworksshouldbestrictlyenforced.
InthecaseofPLATINUM,suchanetworkarchitecturewouldpreventtargetedusersfromaccessingthird-partyemailservicesandtherebygrantingattackersaccesstosensitivesegmentsoftheorganizationalnetwork.
Conductenterprisesoftwaresecurityawarenesstraining,andbuildawarenessofmalwareprevention.
PLATINUMmayhaveusedzero-dayflawstocompromisevictimcomputers,butdoingsorequiredactionbytheuser,whoeitherclickedalinkinanemailoropenedanattachmenttoallowtheattackertotakecontroloftheircomputer.
Securitytrainingcanraiseawarenessandreducetheriskassociatedwiththisattackvector.
Instituteastrongnetworkfirewallandproxy.
Manytoolsusedbyattackersarenotcompatiblewithnetworkproxies.
InthecaseofPLATINUM'sversionofport-knocking,theopeningofaUDPportwouldhavebeenrenderedmootifanetworkfirewallwasblockingaccessforinboundpacketstothehost'sopenport.
Enterprisenetworksshouldconsiderblockingcertaintypesofwebsitesthatdon'tservetheinterestofthebusiness.
PLATINUMmakesextensiveuseofC&CsthatusedynamicDNShosts.
Althoughsuchfreeservicescanbeveryusefulatapersonallevel,blockingaccesstosuchhostsatalocalDNSservercanminimizepost-compromiseactivity.
Prepareyournetworktobeforensicallyready,sothatyoucanachievecontainmentandrecoveryifacompromiseoccurs.
Aforensicallyreadynetworkthatrecordsauthentications,passwordchanges,andothersignificantnetworkeventscanhelpidentifyaffectedsystemsquickly.
Makesurethatyourorganization'sInternet-facingassetsarealwaysrunningup-to-dateapplicationsandsecurityupdates,andthattheyareregularlyauditedforsuspiciousfilesandactivity.
AnumberofresearchedPLATINUMvictimshadtheirpublic-facinginfrastructurecompromisedthroughunknownflaws.
DetectionindicatorsFigure20consistsofdetectionrulesforanumberofPLATINUMmalwaresamplestobeusedwithYARA(https://plusvic.
github.
io/yara/),anopensourcepatternmatchingtoolformalwaredetection.
Figure20.
DetectionindicatorsforPLATINUMmalwareruleTrojan_Win32_PlaSrv:Platinum{meta:author="Microsoft"description="HotpatchingInjector"original_sample_sha1="ff7f949da665ba8ce9fb01da357b51415634eaad"unpacked_sample_sha1="dff2fee984ba9f5a8f5d97582c83fca4fa1fe131"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"Applyallsecurityupdatesassoonastheybecomeavailable.
strings:$Section_name=".
hotp1"$offset_x59={C7806401000000000100}condition:$Section_nameand$offset_x59}ruleTrojan_Win32_Platual:Platinum{meta:author="Microsoft"description="Installercomponent"original_sample_sha1="e0ac2ae221328313a7eee33e9be0924c46e2beb9"unpacked_sample_sha1="ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$class_name="AVCObfuscation"$scrambled_dir={A88BB8E3B1D7FE8551323EC0F1B77399}condition:$class_nameand$scrambled_dir}ruleTrojan_Win32_Plaplex:Platinum{meta:author="Microsoft"description="VariantoftheJPinbackdoor"original_sample_sha1="ca3bda30a3cdc15afb78e54fa1bbb9300d268d66"unpacked_sample_sha1="2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$class_name1="AVCObfuscation"$class_name2="AVCSetiriControl"condition:$class_name1and$class_name2}ruleTrojan_Win32_Dipsind_B:Platinum{meta:author="Microsoft"description="DipsindFamily"sample_sha1="09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$frg1={8D900401000033C0F2AEF7D12BF98BC18BF78BFAC1E902F3A58BC883E103F3A48B4DEC8B158991070000}$frg2={68A1860100C1E902F3AB8BCA83E103F3AA}$frg3={C0E807D0E10AC18AC832D0C0E907D0E00AC832CA80F163}condition:$frg1and$frg2and$frg3}ruleTrojan_Win32_PlaKeylog_B:Platinum{meta:author="Microsoft"description="Keyloggercomponent"original_sample_sha1="0096a3e0c97b85ca75164f48230ae530c94a2b77"unpacked_sample_sha1="6a1412daaa9bdc553689537df0a004d44f8a45fd"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$hook={C606FF46C60625}$dasm_engine={80C910880E8ACA80E1074388560380F905}condition:$hookand$dasm_engine}ruleTrojan_Win32_Adupib:Platinum{meta:author="Microsoft"description="AdupibSSLBackdoor"original_sample_sha1="d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd"unpacked_sample_sha1="a80051d5ae124fd9e5cc03e699dd91c2b373978b"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="POLL_RATE"$str2="OP_TIME(endhour)"$str3="%d:TCP:*:Enabled"$str4="%s[PwFF_cfg%d]"$str5="Fake_GetDlgItemTextW:***value***="condition:$str1and$str2and$str3and$str4and$str5}ruleTrojan_Win32_PlaLsaLog:Platinum{meta:author="Microsoft"description="Loader/possibleincompleteLSAPasswordFilter"original_sample_sha1="fa087986697e4117c394c9a58cb9f316b2d9f7d8"unpacked_sample_sha1="29cb81dbe491143b2f8b67beaeae6557d8944ab4"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={8A1C0132DA881C018B74240C413BCE7CEF5B5FC60401005E81C404010000C3}$str2="PasswordChangeNotify"condition:$str1and$str2}ruleTrojan_Win32_Plagon:Platinum{meta:author="Microsoft"description="Dipsindvariant"original_sample_sha1="48b89f61d58b57dba6a0ca857bce97bab636af65"unpacked_sample_sha1="6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="VPLRXZHTU"$str2={646F67326A7E6C}$str3="Dqpqftk(Wou\"Isztk)"$str4="StartThreadAtWinLogon"condition:$str1and$str2and$str3and$str4}ruleTrojan_Win32_Plakelog:Platinum{meta:author="Microsoft"description="Raw-inputbasedkeylogger"original_sample_sha1="3907a9e41df805f912f821a47031164b6636bd04"unpacked_sample_sha1="960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1=""wide$str2="[CTR-BRK]"wide$str3="[/WIN]"wide$str4={8A168A1832DA4688188B1508E6420040413BCA72EB5E5B}condition:$str1and$str2and$str3and$str4}ruleTrojan_Win32_Plainst:Platinum{meta:author="Microsoft"description="Installercomponent"original_sample_sha1="99c08d31af211a0e17f92dd312ec7ca2b9469ecb"unpacked_sample_sha1="dcb6cf7cf7c8fdfc89656a042f81136bda354ba6"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={668B144D185001108B4508663314704666895477FE66837C77FE0075B78B4DFC8941088D043689410C897904}$str2={4bD39149A180914283B63328366B9097}condition:$str1and$str2}ruleTrojan_Win32_Plagicom:Platinum{meta:author="Microsoft"description="Installercomponent"original_sample_sha1="99dcb148b053f4cef6df5fa1ec5d33971a58bd1e"unpacked_sample_sha1="c1c950bc6a2ad67488e675da4dfc8916831239a7"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={C6442468C644244DC6442453C6442456C6442400}$str2="OUEMM/EMM"$str3={85C97E08FE0C10403BC17CF8C3}condition:$str1and$str2and$str3}ruleTrojan_Win32_Plaklog:Platinum{meta:author="Microsoft"description="Hook-basedkeylogger"original_sample_sha1="831a5a29d47ab85ee3216d4e75f18d93641a9819"unpacked_sample_sha1="e18750207ddbd939975466a0e01bd84e75327dda"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="++[%s^^unknown^^%s]++"$str2="vtfs43/emm"$str3={33C9394C24087E108B44240403C1800008413B4C24087CF0C3}condition:$str1and$str2and$str3}ruleTrojan_Win32_Plapiio:Platinum{meta:author="Microsoft"description="JPinbackdoor"original_sample_sha1="3119de80088c52bd8097394092847cd984606c88"unpacked_sample_sha1="3acb8fe2a5eb3478b4553907a571b6614eb5455c"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="ServiceMain"$str2="Startup"$str3={C64568C6454DC64553C64556C6456DC6456D}condition:$str1and$str2and$str3}ruleTrojan_Win32_Plabit:Platinum{meta:author="Microsoft"description="Installercomponent"sample_sha1="6d1169775a552230302131f9385135d385efd166"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={4bD39149A180914283B63328366B9097}$str2="GetInstanceW"$str3={8BD083E21F8A140A301430403B44240472EE}condition:$str1and$str2and$str3}ruleTrojan_Win32_Placisc2:Platinum{meta:author="Microsoft"description="Dipsindvariant"original_sample_sha1="bf944eb70a382bd77ee5b47548ea9a4969de0527"unpacked_sample_sha1="d807648ddecc4572c7b04405f496d25700e0be6e"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={76168BD083E2078A4C14248A141832D1881418403BC772EA}$str2="VPLRXZHTU"$str3="%d)Command:%s"$str4={0D0A2D2D2D2D2D092D2D2D2D2D2D0D0A}condition:$str1and$str2and$str3and$str4}ruleTrojan_Win32_Placisc3:Platinum{meta:author="Microsoft"description="Dipsindvariant"original_sample_sha1="1b542dd0dacfcd4200879221709f5fa9683cdcda"unpacked_sample_sha1="bbd4992ee3f3a3267732151636359cf94fb4575d"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={BA6E000000668995FFFFB873000000668985FFFFB96400000066898DFFFFBA65000000668995FFFFB86C000000}$str2="VPLRXZHTU"$str3={8B44248A04014132C23BCF7CF28803}condition:$str1and$str2and$str3}ruleTrojan_Win32_Placisc4:Platinum{meta:author="Microsoft"description="InstallerforDipsindvariant"original_sample_sha1="3d17828632e8ff1560f6094703ece5433bc69586"unpacked_sample_sha1="2abb8e1e9cac24be474e4955c63108ff86d1a034"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1={8D71018BC699BB0A000000F7FB0FBED20FBE04392BC288043984C0740A}$str2={6A04680020000068000040006A00FFD5}$str3={C6442464C644246FC6442467C6442432C644246A}condition:$str1and$str2and$str3}ruleTrojan_Win32_Plakpers:Platinum{meta:author="Microsoft"description="Injector/loadercomponent"original_sample_sha1="fa083d744d278c6f4865f095cfd2feabee558056"unpacked_sample_sha1="3a678b5c9c46b5b87bfcb18306ed50fadfc6372e"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="MyFileMappingObject"$str2="[%.
3u]%s%s%s[%s:"wide$str3="%s\\{%s}\\%s"widecondition:$str1and$str2and$str3}ruleTrojan_Win32_Plainst2:Platinum{meta:author="Microsoft"description="Zctool"original_sample_sha1="3f2ce812c38ff5ac3d813394291a5867e2cddcf2"unpacked_sample_sha1="88ff852b1b8077ad5a19cc438afb2402462fbd1a"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="Connected[%s:%d].
.
.
"$str2="reusepossible:%c"$str3d%%\x0a"condition:$str1and$str2and$str3}ruleTrojan_Win32_Plakpeer:Platinum{meta:author="Microsoft"description="Zctoolv2"original_sample_sha1="2155c20483528377b5e3fde004bb604198463d29"unpacked_sample_sha1="dc991ef598825daabd9e70bac92c79154363bab2"activity_group="Platinum"version="1.
0"last_modified="2016-04-12"strings:$str1="@@E0020(%d)"wide$str2=/exit.
{0,3}@exit.
{0,3}new.
{0,3}query.
{0,3}rcz.
{0,3}scz/wide$str3wide$str4widecondition:$str1and$str2and$str3and$str4}