An obscure Windows feature known as hotpatching, missing in the OS since the introduction of Windows 8, is a preferred tool used by a resourced attack group called Platinum that was uncovered by Microsoft.
The group has carried out targeted attacks in South and Southeast Asia since at least 2009, focusing primarily on government interests, including agencies, defense organizations, intelligence agencies, diplomats and telecommunications companies.
Platinum has used at least four zero days in attacks, which are kept to relative few every year, Microsoft said, in order to stay under the radar and avoid detection. Most of the victims are in Malaysia, Indonesia and China.
The abuse of Windows’ hotpatching feature, introduced in Windows Server 2003, allows the attackers to inject malicious code into running processes without having to reboot the server. Hotpatching requires admin privileges, therefore the attackers have to already be on the box to make use of this technique.
That, however, doesn’t seem to be a problem. The APT group has had great success penetrating targets’ machines with spear phishing campaigns loaded with malicious Office documents that exploit previously unpatched vulnerabilities and download backdoors and other code to compromised machines. Four zero days uncovered by Microsoft have been patched, the company’s Windows Defender Advanced Threat Hunting team said in a report published on Tuesday.
Hotpatching has been studied by hackers since its addition to Windows. At Black Hat 2006, Alex Sotirov did a talk on the risk of hotpatching and Alex Ionescu followed that up with a talk in 2013 on writing malicious hotpatches.
The Platinum APT group puts it to use to elude security tools, and in one sample Microsoft found an expiration date of January 2017.
“The component’s use of the hot patching feature appears to be a way to avoid being detected, as many antivirus solutions monitor non-system processes for the regular injection methods such as CreateRemoteThread,” Microsoft said in its report. “If the tool fails to inject code using hot patching, it reverts to attempting the other more common code injection techniques into common Windows processes, primarily targeting winlogon.exe, lsass.exe and svchost.exe.”
Platinum has a number of backdoors and custom malware components at its disposal. It also is careful to cover its tracks, including the ability to self delete malicious components, and ensuring that malicious code is allowed to load only once on a compromised machine and few samples are in the wild.
The group is still active as of February when Microsoft said it discovered an attack against a government news website in India. Microsoft, in its report, also provided details on two specific campaigns demonstrating the range of capabilities at Platinum’s disposal beyond the use of zero days—sometimes deploying more than one against the same target. The group makes use of a number of backdoors, each with varying degrees of capabilities ranging from the theft of intellectual property, to fingerprinting system and browser information before additional attacks are launched. The group also has a host of keyloggers in its back of tricks.
“The resources required to research and deploy multiple zero-day exploits within the same attack campaign are considerable,” Microsoft said. “Such activity requires a significant amount of investment in research and development, along with the discipline to ensure that the exploits are not used until the appropriate time, and that no one involved with the project leaks them to other parties.”