A cyber espionage group is using an advanced persistent threat technique that exploits an obscure Windows OS feature known as “hot patching” to cloak backdoors they have created in targeted systems and networks of government agencies and telecommunications companies in Asia and Southeast Asia, according to Microsoft.
The group, called Platinum by Microsoft researchers, has gained persistent access to the networks of companies it targeted and victimized over a long period without being detected. Spear phishing is the primary way the group gains initial network access, targeting an individual’s personal account as a way to get inside corporate networks.
Spear phishing and the malicious use of hot patching appear to have been quite effective and, until now, enabled Platinum to go undetected. Microsoft research suggests that Platinum has been targeting its victims since at least as early as 2009.
Hot patching is a previously supported OS feature -- originally shipped with Windows Server 2003 --for installing updates without having to reboot or restart a process. It requires administrator-level permissions. At a high level, a hot patcher can transparently apply patches to executables and Dynamic Link Libraries in actively running processes, according to researchers with Microsoft’s Windows Defender Advanced Threat Hunting Team, who discovered the threat.
“Platinum was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hot patching technique on a machine in Malaysia,” Microsoft security researchers, write in a blog. “This allowed Platinum to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”
Hot patching removed in Windows 8
The hot patching feature was removed in Windows 8 and has not been included in subsequent releases of Windows. Platinum, though, appears to believe that enough of their targeted users will continue to run the earlier versions of Windows to make the technique a useful tool, at least until early 2017, researchers say.
The technique Platinum uses to inject code via hot patching was first documented by security researcher Alex Ionescu in 2013. Administrator permissions are required for hot patching, and the technique used by Platinum does not attempt to evade this requirement through exploitation.
Platinum typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components such as images or scripts or templates that are delivered to targets only once, according to Microsoft researchers.
For instance, “in February 2016, Platinum was observed using a legitimate website dedicated to news about the Indian government, as an infection vector. This site, which is not associated with the Indian government itself, also provides a free email service for its users, giving them email addresses with the site’s own domain name. Platinum sent spear phishing messages to users of the service, which included some Indian government officials.”
After infecting an unsuspecting user this way, the attackers had complete control of the user’s computer and used it as a stepping stone into the official network to which the user belonged, researchers say.
Looking for government IP
Platinum, which appears to be well-funded, seeks to steal sensitive intellectual property related to government interests. Its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. “The group’s persient use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat,” researchers say.
The Microsoft researchers have developed attacker profiles on these advanced persistent attackers that includes distinctive behavior, signatures, geography, and victimology.
To reduce the likelihood of Platinum conducting successful attacks against employees and networks, Microsoft researchers advise organizations to:
- Take advantage of native mitigations built into Windows 10;
- Apply all security updates as soon as they become available;
- Conduct enterprise software security awareness training and build awareness of malware prevention;
- Institute a strong network firewall and proxy; and
- Make sure all Internet-facing assets are running the latest applications and security up-dates.
- PowerShell Increasingly Being Used To Hide Malicious Activity
- Apple QuickTime For Windows: Uninstall It ASAP, Security Firm Warns
- Microsoft: Keep Calm But Vigilant About Ransomware