Following a trail of suspicious digital crumbs left in cloud-based systems across South Asia, Kaspersky Lab’s security researchers have uncovered a steganography-based attack carried out by a cyberespionage group called Platinum. The attack targeted government, military, and diplomatic entities in the region.
Platinum was active years ago, but was since believed to have been disarmed. Kaspersky’s cyber-sleuths, however, now suspect that Platinum might have been operating covertly since 2012, through an “elaborate and thoroughly crafted” campaign that allowed it to go undetected for a long time.
The group’s latest campaign harnessed a classic hacking tool known as steganography. “Steganography is the art of concealing a file of any format or communication in another file in order to deceive unwanted people from discovering the existence of [the hidden] initial file or message,” says Somdip Dey, a U.K.-based computer scientist with a special interest in steganography at the University of Essex and the Samsung R&D Institute.
Platinum used a two-step attack, piggybacking on HTML pages to stay out of sight. “[First], a PowerShell script, which is usually used for task automation and configuration, is used to download another PowerShell script to open a backdoor communication channel by using text steganography,” Dey explains. The script was programmed to run at specific times to avoid detection by users and virus scanners, and to run in a loop to survive system reboots. The script then connected to a remote malware server via the backdoor to download an HTML page that contained encrypted commands along with an encryption key hidden in the HTML code.
Kaspersky detected two steganography techniques in the code their researchers analyzed. The first was hiding the encoded message inside the HTML table attributes align, bgcolor, colspan, and rowspan, with each attribute communicating a single bit of information. With the offending table hidden within an HTML comment tag, and given that spaces and tabs in the code don’t affect how a webpage is displayed, the exploit was difficult to spot. The second technique was concealing the encryption key in groups of spaces delimited by tabs.
“The malware script runs through each line of the HTML code to decipher the encrypted message and encryption key,” Dey continues. “[After the] encrypted message and encryption key are decoded, the message is decrypted using AES-256 algorithm, which…reveals the commands needed to be executed further to continue the attack.”
Kaspersky Lab’s investigation suggests that the Platinum attackers were looking to access sensitive information and intelligence rather than to cause any direct damage to devices, networks, and systems.
Speaking about the people behind Platinum, Alexey Shulmin, a security researcher with Kaspersky, says:
“We see [them] as a cyberespionage group…targeting governments and government-related organizations in South and Southeast Asia… We know that this is a big cyberespionage campaign and that usually such campaigns are implemented by nation-state-supported threat actors, and require a group of professionals. We cannot confirm whether this was the case for Platinum.”
Another Kaspersky security expert, Saurabh Sharma, says that targeted attacks such as these are hard to detect as hackers constantly adapt and find new techniques: “Even if you detect them, they return with new strategies to stay under the radar.”
Shulmin confirms that Platinum is still active “and constantly improving their tools.”