Titanium
Titanium is a custom Trojan backdoor used by the PLATINUM APT group and described as the final payload in a highly sophisticated multi-stage intrusion chain. Researchers reported victims primarily in South and Southeast Asia, consistent with PLATINUM’s historical focus on the APAC region. The malware was named from the password used in one of the self-extracting archives in the infection chain.
The observed campaign used a complex sequence of exploit execution, shellcode, downloaders, password-protected self-extracting archives, PowerShell scripts, wrapper DLLs, and a final backdoor payload. Reported infection vectors included malicious code hosted on compromised local intranet websites and shellcode injected into winlogon.exe, although the initial injection method was not fully known. The malware concealed components by impersonating legitimate software such as security products, sound drivers, and DVD creation tools. Persistence was established via a Windows scheduled task, and installation of the final loader could occur either as the DVDMaker Help service or through COM hijacking.
Titanium’s supporting components included a BITS-based downloader that retrieved encrypted payloads from command-and-control infrastructure, decrypted them, validated them with MD5, executed them, and deleted itself. The downloader used the IBackgroundCopyManager COM interface, created a task named "Microsoft Download," could use WMI when running as SYSTEM, and in some cases collected installed antivirus information. One reported confirmation URL was http://70.39.115.196/payment/confirm.gif. A task installer archive contained cURL compiled as a DLL and PowerShell scripts that downloaded and decrypted additional files used to create scheduled-task persistence.
The final-stage loader DvDupdate.dll decrypted an AES-256-CBC encrypted payload, restored its PE/MZ headers, and memory-loaded the Titanium backdoor from data stored in nav_downarrow.png. Titanium’s configuration contained the C2 address, traffic-encryption key, User-Agent string, and other parameters. For C2 initialization, the backdoor sent a Base64-encoded request containing a unique SystemID, computer name, and hard disk serial number, and it could obtain proxy settings from Internet Explorer. Commands were returned by the C2 in PNG files containing steganographically hidden and encrypted data.
Documented Titanium capabilities include reading and exfiltrating files, dropping files, deleting files, executing files, running command lines and uploading results, updating configuration parameters, and operating in an interactive console mode. Researchers highlighted its use of encryption, fileless techniques, software impersonation, BITS, WMI, COM hijacking, and steganographic C2 as anti-detection measures. At the time of the cited analysis, no current Titanium campaign activity had been detected.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT risk group Platinum has a shiny new plaything: A custom made trojan backdoor dubbed Titanium.
Techniques & procedures
25 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueWe believe the Titanium APT uses local intranet websites with a malicious code to start spreading.
Execution
6 techniquesIf it was, it launches command line arguments ... using WMI... To launch the downloaded file, the downloader uses the WMI classes Win32_ProcessStartup, Win32_Process and their methods and fields.
Its intent is to install a Windows endeavor to establish persistence in the infected process.
Its purpose is to install the Windows task to establish persistence in the infected system.
it can, among other things, go through any file from a file process and exfiltrate the info fall or delete a file in the file technique drop a file and operate it run a command line and add the execution results
5 an installer script (ps1)... f1.ps1... f2.ps1... e.ps1... h.ps1
Persistence
5 techniquesIts intent is to install a Windows endeavor to establish persistence in the infected process.
Its purpose is to install the Windows task to establish persistence in the infected system.
a BITS downloader, employed to down load encrypted files from the C2 server then decrypt and start them
This is the installer script that registers DvDupdate.dll as the ‘DVDMaker Help’ service, and sets its entry point as the DllGetClassObject name.
Privilege Escalation
6 techniquesIts intent is to install a Windows endeavor to establish persistence in the infected process.
Its purpose is to install the Windows task to establish persistence in the infected system.
The sophisticated sequence of levels in all of the observed assaults so much commences with an exploit able of gaining code-execution as a System user
This is the installer script that registers DvDupdate.dll as the ‘DVDMaker Help’ service, and sets its entry point as the DllGetClassObject name.
Stealth
9 techniquesThe total, multi-phase code is obfuscated with diverse Windows API phone calls and loops in an endeavor to bypass antivirus emulation engines
the C2 solutions back again with a .PNG graphic file that has steganographically hidden knowledge
none of the information in the file procedure can be detected as malicious, thanks to the use of encryption and fileless technologies
none of the information in the file procedure can be detected as malicious, thanks to the use of encryption and fileless technologies
the malware hides alongside the way during each individual of these techniques by mimicking file names for common software, such as protection deals, audio motorists and DVD online video-development instruments
The payload is encrypted with AES 256 CBC. The decryption key is hardcoded along with other encrypted strings.
a BITS downloader, employed to down load encrypted files from the C2 server then decrypt and start them
The loader creates a thread that decrypts the payload, restores its PE and MZ headers, and then loads it into memory and launches it.
Defense Impairment
1 techniqueThe cybercriminals also started using digital signatures to make the apps look more legitimate.
Discovery
3 techniquesh.ps1 Gets information about the system proxy settings... The malware can also get proxy settings from Internet Explorer.
To initialize the connection to the C2, Titanium sends a foundation64-encoded ask for that incorporates the unique SystemID, computer system name and difficult disk serial selection of the infected machine.
The backdoor can accept many different commands, with the following among the most interesting: Read any file from a file system and send it to the C&C
Command and Control
2 techniquesthe adversaries set up a shellcode to hook up to a hardcoded command-and-control (C2) tackle to obtain the subsequent downloader
Exfiltration
1 techniqueit can, among other things, go through any file from a file process and exfiltrate the info
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A GravityRAT-associated spyware application similar to Enigma, masquerading as legitimate software while providing malicious functionality and persistence.
Custom backdoor used in a multi-stage intrusion chain. It can read, delete, drop, and execute files, run command lines and upload results, update configuration parameters, support interactive console input, communicate with C2, and receive steganographically hidden commands from PNG files.
A multi-stage Trojan-backdoor used by Platinum that employs shellcode, wrapper DLLs, BITS-based downloaders, password-protected SFX archives, COM/service loaders, AES-encrypted payloads, and steganographic PNG-based C2 to establish persistence and execute commands such as file theft, file drop/delete, command execution, payload execution, configuration updates, and interactive console access.
See also ... Titanium (malware)
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.