SYMBOLCOMMON_NAMEaka. SYNONYMS

PLATINUM  (Back to overview)

aka: TwoForOne

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.


Associated Families
win.redsalt win.amtsol win.redpepper

References
2019-06-05Twitter (@ItsReallyNick)Nick Carr
@online{carr:20190605:malware:a6892ae, author = {Nick Carr}, title = {{Tweet on Malware Sample}}, date = {2019-06-05}, organization = {Twitter (@ItsReallyNick)}, url = {https://twitter.com/ItsReallyNick/status/1136502701301346305}, language = {English}, urldate = {2020-01-07} } Tweet on Malware Sample
REDPEPPER REDSALT
2019MITREMITRE ATT&CK
@online{attck:2019:platinum:7fbd5ec, author = {MITRE ATT&CK}, title = {{Group description: PLATINUM}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0068/}, language = {English}, urldate = {2019-12-20} } Group description: PLATINUM
PLATINUM
2018-10FireEyeAdrian Bataille, Matias Bevilacqua
@techreport{bataille:201810:hunting:c5ffe40, author = {Adrian Bataille and Matias Bevilacqua}, title = {{Hunting for PLATINUM}}, date = {2018-10}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf}, language = {English}, urldate = {2020-01-07} } Hunting for PLATINUM
REDSALT
2017-06-07MicrosoftMicrosoft Defender ATP Research Team
@online{team:20170607:platinum:38b4122, author = {Microsoft Defender ATP Research Team}, title = {{PLATINUM continues to evolve, find ways to maintain invisibility}}, date = {2017-06-07}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/}, language = {English}, urldate = {2019-11-25} } PLATINUM continues to evolve, find ways to maintain invisibility
AMTsol
2016-04-26MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160426:digging:90e644b, author = {Microsoft Defender ATP Research Team}, title = {{Digging deep for PLATINUM}}, date = {2016-04-26}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/}, language = {English}, urldate = {2020-01-06} } Digging deep for PLATINUM
PLATINUM
2016-04-26MicrosoftWindows Defender Advanced Threat Hunting Team
@techreport{team:20160426:platinum:6d71086, author = {Windows Defender Advanced Threat Hunting Team}, title = {{PLATINUM Targeted attacks in South and Southeast Asia}}, date = {2016-04-26}, institution = {Microsoft}, url = {http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf}, language = {English}, urldate = {2020-01-13} } PLATINUM Targeted attacks in South and Southeast Asia
AMTsol PLATINUM
2015-09-08FireEyeFireEye
@techreport{fireeye:20150908:two:c836c9a, author = {FireEye}, title = {{Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days}}, date = {2015-09-08}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf}, language = {English}, urldate = {2020-01-20} } Two for One: Microsoft Office Encapsulated PostScriptand Windows Privilege Escalation Zero-Days
REDSALT

Credits: MISP Project