Advanced attackers operating in Southeast Asia are abusing a feature in Intel chips to quietly load malware and exploits onto compromised machines.
Microsoft on Thursday published its latest research into a group it calls Platinum, which is keen on using previously untapped resources to stealthily attack computers and avoid detection.
In April 2016, Microsoft described how Platinum was using a hotpatching feature introduced in Windows Server 2003 (and removed by Windows 8) to inject malicious code in running processes. Platinum’s targets are largely strategic: government agencies, defense contractors and intelligence agencies, along with critical industries such as telecommunications.
Now, Microsoft says, Platinum has a file-transfer tool that makes use of Intel Active Management Technology (AMT), specifically its Serial-over-LAN (SOL) communication channel, to get malicious code running on a targeted machine. This is a first where an APT is abusing chipsets in this way, Microsoft and Intel said.
“This channel works independently of the operating system, rendering any communication over it invisible to firewall and network monitoring applications running on the host device,” Microsoft said. “Until this incident, no malware had been discovered misusing the AMT SOL feature for communication.”
Microsoft informed Intel of its findings, and the two companies said that this isn’t a vulnerability in AMT, but an abuse of its capabilities. Coincidentally, a serious elevation of privilege vulnerability in AMT was disclosed in early May that allowed an attacker remote access and full control over compromised machines, but this is unrelated, the two companies said.
Microsoft said in its report that it discovered the file-transfer tool only on a handful of machines.
The attack has some pre-requisites, Microsoft said, primarily because AMT is off by default and requires admin privileges.
“It is currently unknown if PLATINUM was able to provision workstations to use the feature or piggyback on a previously enabled workstation management feature,” Microsoft said. “In either case, PLATINUM would need to have gained administrative privileges on targeted systems prior to the feature’s misuse.”
The AMT feature is present on Intel vPro processors and chips and is used for remote management. The SOL feature exposes a virtual serial device over TCP, and works independent of the OS and networking running on the host server. AMT and SOL by extension makes use of the Intel Management Engine’s networking stack to communicate as long as the host device is physically connected to the network. Because it bypasses the host server’s networking stack, it can’t be blocked by the firewall on the host. The host never sees any of the malicious traffic, and by extension, neither does any of the antimalware or intrusion detection software running on the server.
Microsoft said Platinum has been active in Asia since 2009, and keeps its use of attack tools—including zero days—close to the vest.
Platinum’s abuse of Windows hotpatching was disclosed more than a year ago. The feature was abused to inject malicious code into running processes without having to reboot the compromised server. Like SOL, hotpatching requires admin privileges meaning the attackers must have previously compromised the box in order to carry out this phase of the attack.
The group, like many other APTs, uses spear phishing campaigns to gain an initial foothold on a network. Platinum uses infected Office documents targeting unpatched and known vulnerabilities to install backdoors and other code onto compromised machines.