Skip to content

G0068 PLATINUM

PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. 1

Item Value
ID G0068
Associated Names
Version 1.3
Created 18 April 2018
Last Modified 22 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1189 Drive-by Compromise PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.1
enterprise T1068 Exploitation for Privilege Escalation PLATINUM has leveraged a zero-day vulnerability to escalate privileges.1
enterprise T1105 Ingress Tool Transfer PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.3
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging PLATINUM has used several different keyloggers.1
enterprise T1056.004 Credential API Hooking PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.1
enterprise T1036 Masquerading PLATINUM has renamed rar.exe to avoid detection.2
enterprise T1095 Non-Application Layer Protocol PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory PLATINUM has used keyloggers that are also capable of dumping credentials.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.1
enterprise T1055 Process Injection PLATINUM has used various methods of process injection including hot patching.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.1

Software

ID Name References Techniques
S0202 adbupd 1 Windows Command Shell:Command and Scripting Interpreter Asymmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution
S0200 Dipsind 1 Web Protocols:Application Layer Protocol Winlogon Helper DLL:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Scheduled Transfer
S0201 JPIN 1 File Transfer Protocols:Application Layer Protocol Mail Protocols:Application Layer Protocol BITS Jobs Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Obfuscated Files or Information Local Groups:Permission Groups Discovery Process Discovery Process Injection Query Registry Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery

References

  1. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. 

  2. Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved April 22, 2019. 

  3. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.