PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar
Version: 1.3
Created: 18 April 2018
Last Modified: 22 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[1]

Enterprise T1068 Exploitation for Privilege Escalation

PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[1]

Enterprise T1105 Ingress Tool Transfer

PLATINUM has transferred files using the IntelĀ® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[2]

Enterprise T1056 .001 Input Capture: Keylogging

PLATINUM has used several different keyloggers.[1]

.004 Input Capture: Credential API Hooking

PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.[1]

Enterprise T1036 Masquerading

PLATINUM has renamed rar.exe to avoid detection.[3]

Enterprise T1095 Non-Application Layer Protocol

PLATINUM has used the IntelĀ® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PLATINUM has used keyloggers that are also capable of dumping credentials.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[1]

Enterprise T1055 Process Injection

PLATINUM has used various methods of process injection including hot patching.[1]

Enterprise T1204 .002 User Execution: Malicious File

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[1]

Software

References