PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar
Version: 1.3
Created: 18 April 2018
Last Modified: 22 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[1]

Enterprise T1068 Exploitation for Privilege Escalation

PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[1]

Enterprise T1105 Ingress Tool Transfer

PLATINUM has transferred files using the IntelĀ® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[2]

Enterprise T1056 .001 Input Capture: Keylogging

PLATINUM has used several different keyloggers.[1]

.004 Input Capture: Credential API Hooking

PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.[1]

Enterprise T1036 Masquerading

PLATINUM has renamed rar.exe to avoid detection.[3]

Enterprise T1095 Non-Application Layer Protocol

PLATINUM has used the IntelĀ® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PLATINUM has used keyloggers that are also capable of dumping credentials.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[1]

Enterprise T1055 Process Injection

PLATINUM has used various methods of process injection including hot patching.[1]

Enterprise T1204 .002 User Execution: Malicious File

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[1]