A group of hackers has been abusing the Microsoft Windows’ patching system to target victims in Asia to stay undetected for as long as possible.
The group, discovered by Microsoft’s Windows Defender Advanced Threat Hunting team, are one of many which selectively target organizations and wish to stay hidden for the maximum amount of time in order to increase their return on investment.
Active since 2009, Platinum primarily targets governmental organizations, defense institutes, intelligence agencies, and telecommunication providers across the region. Spear phishing campaigns are most commonly used to infiltrate victim PCs.
Microsoft revealed the details of an investigation into this specific cybercriminal group on Tuesday.
In a blog post, Microsoft’s malware center team said little is known about the hackers themselves, but they stand out from the crowd through the use of a “novel” technique called hotpatching.
“The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected,” Microsoft says.
It’s not an easy task to track down such a group, but the Redmond giant used anonymized information from user devices, security graphics and analytics to do so. As a result, the tech giant discovered the use of hotpatching, a previously supported feature of the Windows operating system which was used to install updates without rebooting or restarting PC processes.
The technique requires admin-level permissions, but if these credentials have been obtained, a user can apply patches to modify the code of executables and DDLs.
This particular technique has not been discovered in the wild as a tool of cybercriminals until now, according to Microsoft. However, it has proved to be a valuable method to cloak backdoors into victim PCs.
Microsoft’s security team says:
“Using hotpatching in a malicious context is a technique that can be used to avoid being detected, as many antimalware solutions monitor non-system processes for regular injection methods, such as CreateRemoteThread.
Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003.
Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.”
The hotpatching feature abuse is only one technique used by Platinum, which has also been linked to zero-day vulnerability exploit use in its quest to target Asian entities — mainly within Malaysia — in the quest for information.
It’s unusual to see cybercriminal groups turning to old update techniques to stay concealed on compromised networks, but the case does highlight that any method — no matter how obscure — that cybercriminals can abuse, will be.
For a deeper dive, you can read up on Platinum’s techniques in Microsoft’s white paper(.PDF).