A gang of hackers – probably state sponsored – has been wreaking havoc on government agencies and telecommunications firms based in South and Southeast Asia beginning in as early as 2009 using a lesser known feature on Windows.
Why it took about seven years for Microsoft to discover the abuses performed on the Windows feature called hotpatching, only the software giant can tell. But in its report made public recently, the software giant said the group of attackers targeted defense organizations, intelligence communities, diplomats and telecommunications companies in Malaysia, Indonesia and China – indicating the attacks were meant to perform cyber espionage.
Branding themselves as Platinum, the group of attackers has been employing cautious tactics in order not to cause a blip on the radar of detection tools. For instance, Platinum have been minimizing their attack frequency every year.
Windows’ hotpatching feature was unveiled together with Windows Server 2003 and the tool faded away when Windows 8 was introduced because Microsoft found the feature useless for millions of Windows users. When it slipped into obscurity, Platinum hackers began to use the feature to load malicious code into running Windows processes. Because they exploited hotpatching, the servers did not have to be rebooted.
It also appears that the attackers behind the hotpatching abuse had prior privilege access to the victim systems because hotpatching requires admin authority to perform. One attack vector used by Platinum hackers was spear phishing, which they blended with a rogue Microsoft Office file intended to abuse unpatched flaws and create backdoors to computers. Fortunately, these vulnerabilities have already been patched.
The use of hotpatching feature makes the Platinum attack less noticeable to Microsoft’s radar because most antivirus tools are designed to track processes that are not native to the system, meaning they might be performed by third-parties for injection methods. Hotpatching, on the other hand, is a native process in Windows and is being used to inject code into the machines. If, otherwise, the attackers fail to inject code through hotpatching, the feature will try to use other injection techniques for more common code into the Windows processes. This provides the attackers with a wide variety of options to inject malicious code.
The Platinum is an advanced persistent threat group and holds a treasure trove of backdoors and malware kits, and works furtively by making their malware to perform self-deletion. The group’s codes are designed such that they infect a machine that has already been compromised so as to keep its track hidden from antivirus software.