PLATINUM

Introduction

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. Microsoft PLATINUM April 2016

Activities and Tactics

Targeted Sectors: Defense, Government, Administration, Diplomacy, Intelligence, Telecoms

Country of Origin: 🏳️ Singapore

First Seen: 2016

Last Activity: 2017

Notable Campaigns

• Hellsing

Tactics, Techniques, and Procedures (TTPs)

• T1189 Drive-by Compromise
• T1105 Ingress Tool Transfer
• T1204.002 Malicious File
• T1068 Exploitation for Privilege Escalation
• T1056.004 Credential API Hooking
• T1056.001 Keylogging
• T1003.001 LSASS Memory
• T1095 Non-Application Layer Protocol
• T1055 Process Injection
• T1566.001 Spearphishing Attachment
• T1036 Masquerading

ATT&CK technique IDs (denormalized)

• T1003.001
• T1036
• T1055
• T1056.001
• T1056.004
• T1068
• T1095
• T1105
• T1189
• T1204.002
• T1566.001

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 2 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Xploit
• GraphicBooting
• Hotpatching techniques:
• CVE-2015-2545:
• AMT Feature FW evasion:

MITRE ATT&CK Software

• JPIN (S0201) — malware
• Dipsind (S0200) — malware
• adbupd (S0202) — malware

Attribution and Evidence

Country of Origin: Singapore Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Microsoft PLATINUM April 2016 Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.