Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:01 PM
Connect Directly

Hacker Group Exploits 'Hot Patching' In Windows To Cloak Cyber Espionage

Group called Platinum employs spear phishing and malicious use of hot patching to steal information from government agencies in Asia.

A cyber espionage group is using an advanced persistent threat technique that exploits an obscure Windows OS feature known as “hot patching” to cloak backdoors they have created in targeted systems and networks of government agencies and telecommunications companies in Asia and Southeast Asia, according to Microsoft.

The group, called Platinum by Microsoft researchers, has gained persistent access to the networks of companies it targeted and victimized over a long period without being detected. Spear phishing is the primary way the group gains initial network access, targeting an individual’s personal account as a way to get inside corporate networks.

Spear phishing and the malicious use of hot patching appear to have been quite effective and, until now, enabled Platinum to go undetected. Microsoft research suggests that Platinum has been targeting its victims since at least as early as 2009.

Hot patching is a previously supported OS feature -- originally shipped with Windows Server 2003 --for installing updates without having to reboot or restart a process. It requires administrator-level permissions.  At a high level, a hot patcher can transparently apply patches to executables and Dynamic Link Libraries in actively running processes, according to researchers with Microsoft’s Windows Defender Advanced Threat Hunting Team, who discovered the threat.

“Platinum was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hot patching technique on a machine in Malaysia,” Microsoft security researchers, write in a blog.  “This allowed Platinum to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”

Hot patching removed in Windows 8

The hot patching feature was removed in Windows 8 and has not been included in subsequent releases of Windows. Platinum, though, appears to believe that enough of their targeted users will continue to run the earlier versions of Windows to make the technique a useful tool, at least until early 2017, researchers say.

The technique Platinum uses to inject code via hot patching was first documented by security researcher Alex Ionescu in 2013. Administrator permissions are required for hot patching, and the technique used by Platinum does not attempt to evade this requirement through exploitation.

Platinum typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components such as images or scripts or templates that are delivered to targets only once, according to Microsoft researchers.

For instance, “in February 2016, Platinum was observed using a legitimate website dedicated to news about the Indian government, as an infection vector. This site, which is not associated with the Indian government itself, also provides a free email service for its users, giving them email addresses with the site’s own domain name. Platinum sent spear phishing messages to users of the service, which included some Indian government officials.”

After infecting an unsuspecting user this way, the attackers had complete control of the user’s computer and used it as a stepping stone into the official network to which the user belonged, researchers say.

Looking for government IP

Platinum, which appears to be well-funded, seeks to steal sensitive intellectual property related to government interests.  Its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. “The group’s persient use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat,” researchers say.

The Microsoft researchers have developed attacker profiles on these advanced persistent attackers that includes distinctive behavior, signatures, geography, and victimology.

To reduce the likelihood of Platinum conducting successful attacks against employees and networks, Microsoft researchers advise organizations to:

  • Take advantage of native mitigations built into Windows 10;
  • Apply all security updates as soon as they become available;
  • Conduct enterprise software security awareness training and build awareness of malware prevention;
  • Institute a strong network firewall and proxy; and
  • Make sure all Internet-facing assets are running the latest applications and security up-dates.

Related content:


Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.
PUBLISHED: 2021-02-25
Stored cross-site scripting (XSS) in form field in robust.systems product Custom Global Variables v 1.0.5 allows a remote attacker to inject arbitrary code via the vars[0][name] field.
PUBLISHED: 2021-02-25
Magento UPWARD-php version 1.1.4 (and earlier) is affected by a Path traversal vulnerability in Magento UPWARD Connector version 1.1.2 (and earlier) due to the upload feature. An attacker could potentially exploit this vulnerability to upload a malicious YAML file that can contain instructions which...
PUBLISHED: 2021-02-25
Adobe Bridge version 11.0 (and earlier) is affected by an out-of-bounds write vulnerability when parsing TTF files that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.