Hacker Group Exploits 'Hot Patching' In Windows To Cloak Cyber Espionage

Group called Platinum employs spear phishing and malicious use of hot patching to steal information from government agencies in Asia.

Rutrell Yasin, Freelance Writer

April 28, 2016

4 Min Read

A cyber espionage group is using an advanced persistent threat technique that exploits an obscure Windows OS feature known as “hot patching” to cloak backdoors they have created in targeted systems and networks of government agencies and telecommunications companies in Asia and Southeast Asia, according to Microsoft.

The group, called Platinum by Microsoft researchers, has gained persistent access to the networks of companies it targeted and victimized over a long period without being detected. Spear phishing is the primary way the group gains initial network access, targeting an individual’s personal account as a way to get inside corporate networks.

Spear phishing and the malicious use of hot patching appear to have been quite effective and, until now, enabled Platinum to go undetected. Microsoft research suggests that Platinum has been targeting its victims since at least as early as 2009.

Hot patching is a previously supported OS feature -- originally shipped with Windows Server 2003 --for installing updates without having to reboot or restart a process. It requires administrator-level permissions.  At a high level, a hot patcher can transparently apply patches to executables and Dynamic Link Libraries in actively running processes, according to researchers with Microsoft’s Windows Defender Advanced Threat Hunting Team, who discovered the threat.

“Platinum was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hot patching technique on a machine in Malaysia,” Microsoft security researchers, write in a blog.  “This allowed Platinum to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”

Hot patching removed in Windows 8

The hot patching feature was removed in Windows 8 and has not been included in subsequent releases of Windows. Platinum, though, appears to believe that enough of their targeted users will continue to run the earlier versions of Windows to make the technique a useful tool, at least until early 2017, researchers say.

The technique Platinum uses to inject code via hot patching was first documented by security researcher Alex Ionescu in 2013. Administrator permissions are required for hot patching, and the technique used by Platinum does not attempt to evade this requirement through exploitation.

Platinum typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components such as images or scripts or templates that are delivered to targets only once, according to Microsoft researchers.

For instance, “in February 2016, Platinum was observed using a legitimate website dedicated to news about the Indian government, as an infection vector. This site, which is not associated with the Indian government itself, also provides a free email service for its users, giving them email addresses with the site’s own domain name. Platinum sent spear phishing messages to users of the service, which included some Indian government officials.”

After infecting an unsuspecting user this way, the attackers had complete control of the user’s computer and used it as a stepping stone into the official network to which the user belonged, researchers say.

Looking for government IP

Platinum, which appears to be well-funded, seeks to steal sensitive intellectual property related to government interests.  Its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. “The group’s persient use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat,” researchers say.

The Microsoft researchers have developed attacker profiles on these advanced persistent attackers that includes distinctive behavior, signatures, geography, and victimology.

To reduce the likelihood of Platinum conducting successful attacks against employees and networks, Microsoft researchers advise organizations to:

  • Take advantage of native mitigations built into Windows 10;

  • Apply all security updates as soon as they become available;

  • Conduct enterprise software security awareness training and build awareness of malware prevention;

  • Institute a strong network firewall and proxy; and

  • Make sure all Internet-facing assets are running the latest applications and security up-dates.

Related content:


Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

About the Author(s)

Rutrell Yasin

Freelance Writer

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. He has witnessed all of the major transformations in computing over the last three decades, covering the rise, death, and resurrection of the mainframe; the growing popularity of midrange and Unix-based computers; the advent of the personal computer; client/server computing; the merger of network and systems management; and the growing importance of information security. His stories have appeared in leading trade publications, including MIS Week, The Report on IBM, CommunicationsWeek, InternetWeek, Federal Computer Week, and Government Computer News. His focus in recent years has been on documenting the rise and adoption of cloud computing and big-data analytics. He has a keen interest in writing stories that show how technology can help spur innovation, make city streets and buildings safer, or even save lives.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights