• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Cookie Policy (US)
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech Guide
  • Home Improvement
  • Gadget & Apps
  • News

Microsoft fails to detect abuses on a Windows patching feature for 7 years

Updated on Apr 28, 2016 by Guest Authors

A gang of hackers – probably state sponsored – has been wreaking havoc on government agencies and telecommunications firms based in South and Southeast Asia beginning in as early as 2009 using a lesser known feature on Windows.

Why it took about seven years for Microsoft to discover the abuses performed on the Windows feature called hotpatching, only the software giant can tell. But in its report made public recently, the software giant said the group of attackers targeted defense organizations, intelligence communities, diplomats and telecommunications companies in Malaysia, Indonesia and China – indicating the attacks were meant to perform cyber espionage.

hacker

Branding themselves as Platinum, the group of attackers has been employing cautious tactics in order not to cause a blip on the radar of detection tools. For instance, Platinum have been minimizing their attack frequency every year.

Windows’ hotpatching feature was unveiled together with Windows Server 2003 and the tool faded away when Windows 8 was introduced because Microsoft found the feature useless for millions of Windows users. When it slipped into obscurity, Platinum hackers began to use the feature to load malicious code into running Windows processes. Because they exploited hotpatching, the servers did not have to be rebooted.  

It also appears that the attackers behind the hotpatching abuse had prior privilege access to the victim systems because hotpatching requires admin authority to perform. One attack vector used by Platinum hackers was spear phishing, which they blended with a rogue Microsoft Office file intended to abuse unpatched flaws and create backdoors to computers. Fortunately, these vulnerabilities have already been patched.

The use of hotpatching feature makes the Platinum attack less noticeable to Microsoft’s radar because most antivirus tools are designed to track processes that are not native to the system, meaning they might be performed by third-parties for injection methods. Hotpatching, on the other hand, is a native process in Windows and is being used to inject code into the machines. If, otherwise, the attackers fail to inject code through hotpatching, the feature will try to use other injection techniques for more common code into the Windows processes. This provides the attackers with a wide variety of options to inject malicious code.

The Platinum is an advanced persistent threat group and holds a treasure trove of backdoors and malware kits, and works furtively by making their malware to perform self-deletion. The group’s codes are designed such that they infect a machine that has already been compromised so as to keep its track hidden from antivirus software.

Disclosure: We might earn commission from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Footer

Review of the Waterpik Evolution and Nano Water Flosser Combo Pack

Transparent Shaving: The yoose ICE Electric Shaver Review

INKBIRD IBS-TH5 Review – Smart Thermo Hygrometer with E-Ink Display

LISEN MagSafe CD Phone Holder for Car Review

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Review of the Waterpik Evolution and Nano Water Flosser Combo Pack
  • Transparent Shaving: The yoose ICE Electric Shaver Review
  • The Hidden Cost of Cryptocurrency: Bitcoin’s Energy and Water Footprint
  • Free Places To Sleep Inside Hong Kong Airport During Long Transits

Copyright © 2023 · All Rights Reserved

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional cookies Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}