What is the threat?
On June 5, Kaspersky researchers revealed a highly sophisticated cyberespionage campaign by the advanced persistent threat (APT) group “Platinum” which employs new text-based steganography techniques to obscure their communication and install malware and a backdoor on a system. This text-based steganography technique uses a multi-stage approach that involves message encoding, hiding and a steganography technique known as SNOW (Steganographic Nature of Whitespace). SNOW is used to hide messages in ASCII text by adding whitespace to the end of lines. As spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers.
Why is this noteworthy?
The malware commands were embedded in the HTML-code of a website. The ‘tab’ and ‘space bar’ keys on a keyboard do not change how HTML-code is reflected on a webpage, so the threat actors encoded the commands in a specific sequence of these two keys. The hidden whitespace message contains the commands required to communicate back-and-forth between the C2 server and the compromised host. As a result, the commands are almost impossible to detect in network traffic, as the malware merely appeared to access an unsuspicious website that was unnoticeable in overall traffic. This is a unique method of exfiltrating data in plain sight using digital steganography and the backdoor can serve as an access point for other malware to be downloaded and installed on the host.
What is the exposure or risk?
A dedicated dropper is used to install a hidden backdoor, using steganography. Steganography is the technique of hiding secret data within an ordinary, non-secret, file or message in order to avoid detection. At first, the malware creates directories and saves the malware-related files (the backdoor itself and its configuration file) in them. Secondly, it runs the backdoor, ensures persistence, and then removes itself. Once installed, the backdoor connects to C&C server and downloads an HTML page that contains the encrypted commands as well as the encryption key both embedded into the page. It is important to note that, once an attacker has compromised a system, the attack can be propagated laterally across a connected network, even to machines without direct connections to the internet.
What can you do?
- Implement security awareness training for staff, explaining how to recognize and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
- For endpoint level detection, investigation and timely remediation of incidents, implement Endpoint Detection and Response solutions.
References:
- https://www.zdnet.com/article/platinum-apt-hides-backdoor-communication-in-text/
- https://securelist.com/platinum-is-back/91135/
- https://www.securityweek.com/platinum-hackers-use-steganography-mask-cc-communications
- https://securityaffairs.co/wordpress/86664/apt/platinum-apt-campaign.html