PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar

Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1003Credential DumpingPLATINUM has used keyloggers that are also capable of dumping credentials.
EnterpriseT1094Custom Command and Control ProtocolPLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.
EnterpriseT1189Drive-by CompromisePLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.
EnterpriseT1068Exploitation for Privilege EscalationPLATINUM has leveraged a zero-day vulnerability to escalate privileges.
EnterpriseT1179HookingPLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.
EnterpriseT1056Input CapturePLATINUM has used several different keyloggers.
EnterpriseT1036MasqueradingPLATINUM has renamed rar.exe to avoid detection.
EnterpriseT1055Process InjectionPLATINUM has used various methods of process injection including hot patching.
EnterpriseT1105Remote File CopyPLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.
EnterpriseT1193Spearphishing AttachmentPLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.
EnterpriseT1095Standard Non-Application Layer ProtocolPLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.
EnterpriseT1204User ExecutionPLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.

Software

IDNameTechniques
S0202adbupdCommand-Line Interface, Standard Cryptographic Protocol, Windows Management Instrumentation Event Subscription
S0200DipsindCommand-Line Interface, Custom Command and Control Protocol, Data Encoding, Remote File Copy, Scheduled Transfer, Standard Application Layer Protocol, Standard Cryptographic Protocol, Winlogon Helper DLL
S0201JPINBITS Jobs, Command-Line Interface, Disabling Security Tools, File and Directory Discovery, File Deletion, File Permissions Modification, Input Capture, Obfuscated Files or Information, Permission Groups Discovery, Process Discovery, Process Injection, Query Registry, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery

References