1. Home
  2. Groups
  3. PLATINUM

PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. [1]

ID: G0068
Contributors: Ryan Becwar
Version: 1.3
Created: 18 April 2018
Last Modified: 22 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 伪装

PLATINUM has renamed rar.exe to avoid detection.[2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

PLATINUM has used keyloggers that are also capable of dumping credentials.[1]
Enterprise T1068 权限提升漏洞利用

PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[1]
Enterprise T1189 浏览器攻击

PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.[1]
Enterprise T1204 .002 用户执行: Malicious File

PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[1]
Enterprise T1105 输入工具传输

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[3]
Enterprise T1056 .001 输入捕获: Keylogging

PLATINUM has used several different keyloggers.[1]
.004 输入捕获: Credential API Hooking

PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.[1]
Enterprise T1055 进程注入

PLATINUM has used various methods of process injection including hot patching.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.[1]
Enterprise T1095 非应用层协议

PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.[3]

Software

ID Name References Techniques
S0202 adbupd [1] 事件触发执行: Windows Management Instrumentation Event Subscription, 加密通道: Asymmetric Cryptography, 命令与脚本解释器: Windows Command Shell
S0200 Dipsind [1] 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Winlogon Helper DLL, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 输入工具传输, 预定传输
S0201 JPIN [1] BITS任务, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 应用层协议: Mail Protocols, 应用层协议: File Transfer Protocols, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 权限组发现: Local Groups, 查询注册表, 混淆文件或信息, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入

References

  1. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  2. Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved September 12, 2024.
  1. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.