Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage. Its main infection vectors include local intranet websites with a malicious code to start spreading, a malicious archive that can be downloaded via BITS Downloader, and others.
The backdoor can accept many different commands, including but not limited to:
The malware hides at every stage by mimicking common programs, such as popular DVD and anti-malware software. The major targets of the Titanium campaign were located in South and Southeast Asia – known to be around half dozen army and government institutions.
“Our findings once again indicate that while threat actors, just as Kaspersky predicted last year, went into deep waters, a lot of interesting developments are going on there with new attacks, campaigns, and malware modifications. These are yet to be found. The backdoor we found is of particular interest due to its capability to introduce an interactive mode that allows attackers to use a remote command line mode which sends a launched program’s output to the C&C and receives any required input from it dynamically,” said Vladimir Kononovich, a security expert at Kaspersky.
Kaspersky products detect and block the threat.
Kaspersky recommends taking the following security measures:
For further details see the report on Securelist.