Titanium

Titanium is a backdoor Trojan that provides system-controlling and data-collecting features to its remote administrator. Its deployment has close ties to activity by a believed-to-be state-sponsored threat actor that focuses on Asian nations and makes noteworthy usage of stealth techniques. Monitoring internal Intranet resources for breaches can limit the Trojan's circulation, and users should update all anti-malware services for removing Titanium as accurately as quickly as possible.

A Trojan that's Tempered against AV Databases

Just as the metal of the same name is renowned for its durability, a Trojan bearing the name of Titanium is proving itself robust against its enemies – anti-virus and other security solutions that safeguard their business, government and NGO networks. Titanium is a backdoor Trojan whose payload is somewhat unremarkable, compared to similar ones like APT37's KARAE or Turla APT's Skipper. What gives it an advantage over them is the support it receives during its highly-sophisticated installation steps.

Titanium leverages attacks such as deleting files, executing programs (such as other Trojans' installers), uploading files to a C&C server and downloading content from that server for execution. It also includes further support for other commands related to facilitating remote attacks and controlling the PC or infecting other ones. This payload is in keeping with the usual capabilities of a state-sponsored campaign that breaches a target's networks for exfiltrating intelligence entirely.

Titanium's installation process is, however, very noteworthy. Although malware experts can't confirm initial infection vectors conclusively, it appears that Titanium is compromising Intranet websites within company networks and using them for initiating drive-by-downloads of itself. Titanium's installation procedure includes no less than six stages, all of which use multiple obfuscation techniques, including simple ones (like naming components so that they look like audio drivers) and advanced ones (memory injection for a 'fileless' execution of the code, as well as steganography).

Titanium's defenses are thorough sufficiently that, currently, no AV vendors are identifying it through their standard threat heuristics.

Melting a Metallic Enemy to Your Network

None of the methodology Titanium's propagation phases are unique to its campaign or even to its Asia-operating threat actor, Platinum. Using misleading filenames and paths is typical among many threats, and steganography (hiding data inside of images) is also a facet in unrelated threats like Ke3chang APT'sOkrum and the Jaku Botnet. Its potential for evasion is, however, more realized than most other backdoor Trojans', and Titanium is undetectable either by casual observation or most security solutions' behavioral threat definitions effectively.

Network administrators for businesses operating in Asia should review intranet resources for any possibility of tampering periodically. While current disguises associated with Titanium include freeware DVD media products and audio drivers, Platinum will likely, update the themes of these misdirections over time. Some components of the installation process, also, require admin privileges, which may trigger prompts for the user – if Titanium's campaign isn't using exploits for bypassing the restriction.

Victims should disabling network connectivity priority and, accordingly, Titanium's capability for contacting the attacker's server. Windows anti-malware services still have the best chance of removing Titanium safely but should use their latest databases for improving their odds of identifying the Trojan.

Titanium offers an incredible view of the effort that hackers put into their works, as illicit as they are. While Kaspersky provides a full run-down on its current installation exploits and tactics, this Trojan is going to evolving and making an impression throughout the rest of the year almost certainly.