Titanium is currently being used by the Advanced Persistent Threat (APT) actor “Platinum”. Platinum is considered one of the most “technologically advanced” APT actors in the Asia-Pacific region. Their current malware targets Malaysia, Indonesia, and Vietnam. It is unclear exactly how many devices have been affected.
Titanium reportedly includes several steps and capabilities. It first releases an exploit that is able to execute code as a SYSTEM user. It then installs a shellcode that essentially downloads the necessary downloader.
The second downloader deploys a self-extracting (SFX) archive that features a Windows task installation script. Its primary goal is to install a “Windows task to establish persistence in the infected system.” This downloader then must also grab the required password-protected SFX archive, installer script, and a BITS downloader. The password is “Titanium” and it is hardcoded into the downloader.
Once all of this is accomplished, the system is then able to launch the Trojan backdoor. This backdoor is able to accept various concerning commands. It can read, send, drop, delete, or run any file on the file system, withdraw data, alter configuration parameters, and run a command line and upload the execution results to the C&C. Titanium was able to then spread through local intranet websites or by shellcode injection once it was installed on one device. Titanium is particularly difficult to detect because is able to imitate legitimate software. Researchers noticed that it was able to mimic security, DVD creation, and audio drivers software. Its mimicry abilities, complex sequences, and command capabilities make it a formidable foe.
Trojan malware is particularly pervasive. This past October, Apple deleted seventeen malicious iPhone apps. The apps included clicker trojan malware that was “designed to carry out ad fraud related tasks in the background.” All of the apps came from the same developer and were primarily used to inflate website traffic and therefore generate more revenue.
Security researchers at Kaspersky also recently discovered malware that was infecting Chrome and Firefox browsers. The malware included a remote access trojan (RAT) and was able to alter the behavior of the browsers. It is believed that the Russian hacking group “Turla” was responsible for the malware.