PLATINUM gang exploited Microsoft 'hotpatching' support to mask activities
The Microsoft Windows Defender Advanced Threat Hunting Team detailed the nefarious activities of a cybergang it dubbed PLATINUM.
A group of cybercriminals, code-named PLATINUM by Microsoft's Windows Defender Advanced Threat Hunting Team, has “gone to great lengths” over many years “to develop covert techniques” so their cyber-espionage campaigns will evade detection, even using Windows's support for “hotpatching” against it, according to a blog post.
Although details about the PLATINUM team itself are scarce, Microsoft's threat hunters have learned a great deal about the techniques the group has used to exploit zero-day vulnerabilities as well as evasive measures such as using self-deleting malware.
The cybergang primarily aims its attacks at government organizations, defense groups, intelligence agencies, and telecommunication providers located in South and Southeast Asia, Microsoft said.
The Microsoft team found that PLATINUM was actively engaged in the malicious use of hotpatching, “a previously supported OS feature for installing updates without having to reboot or restart a process,” they wrote.
Microsoft introduced support for hotpatch with Windows Server 2003. A hotpatcher does require admin-level permissions to “transparently apply patches to executables and DLLs in actively running processes.”
PLATINUM abused hotpatching to camouflage their backdoor so it couldn't be detected by the behavioral sensors included in many host security solutions. “We first observed a sample employing the hotpatching technique on a machine in Malaysia,” the threat hunters noted. “This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”