PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar
Version: 1.2
Created: 18 April 2018
Last Modified: 19 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[1]

Enterprise T1068 Exploitation for Privilege Escalation

PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[1]

Enterprise T1105 Ingress Tool Transfer

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[2]

Enterprise T1056 .001 Input Capture: Keylogging

PLATINUM has used several different keyloggers.[1]

.004 Input Capture: Credential API Hooking

PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.[1]

Enterprise T1036 .003 Masquerading: Rename System Utilities

PLATINUM has renamed rar.exe to avoid detection.[3]

Enterprise T1095 Non-Application Layer Protocol

PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

PLATINUM has used keyloggers that are also capable of dumping credentials.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[1]

Enterprise T1055 Process Injection

PLATINUM has used various methods of process injection including hot patching.[1]

Enterprise T1204 .002 User Execution: Malicious File

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[1]

Software

ID Name References Techniques
S0202 adbupd

[1]

Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription
S0200 Dipsind

[1]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Winlogon Helper DLL, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Scheduled Transfer
S0201 JPIN

[1]

Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Mail Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Query Registry, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery

References