The hacker crew discovered by Microsoft and dubbed Platinum APT group conducted cyber espionage against organizations in South and Southeast Asia leveraging a Windows patching system.
According to Microsoft, the Platinum has been active since at least 2009, it was responsible for spear phishing attacks on ISPs, government organizations, intelligence agencies, and defense institutes.
The hackers don’t appear to be financially motivated, this consideration and the type of targeted entities suggest the Platinum APT is a group of state-sponsored hackers of hackers that intend to resell the stolen information to Government.
The experts at the Microsoft Windows Defender Advanced Threat Hunting team have discovered that the Platinum APT group has been exploiting a feature called hotpatching to hide its operations.
The Hotpatching feature allows the installation of updates on Windows systems without having to reboot or restart a process. The mechanism could be abused to inject malicious code into processes without being detected by security solutions.
The feature was introducted with Windows 2003 server and recently removed with the release of Windows 8 OS.
According to the experts at Microsoft, this is the first time the Hotpatching feature is exploited by hackers in the wild.
The Platinum APT group exploited the Hotpatching feature to inject a backdoor into the svchost process.
“Hotpatching originally shipped with Windows Server 2003 and was used to ship 10 patches to Windows Server 2003. Windows 10, our most secure operating system ever, is not susceptible to this and many other techniques and attack vectors.” Microsoft wrote in a blog post. “What this means in practical terms is that PLATINUM was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hotpatching technique on a machine in Malaysia. This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”
Experts at Microsoft who investigated the activity of the Platinum APT group discovered that it conducted many other campaigns in the last years. The group always spent a significant effort in developing custom-built malware with advanced evading detection mechanisms.
The APT group used several zero-day exploits to remain hidden, and researchers also speculated that the group has considerable financial resources.
“The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.” states a detailed analysis published by Microsoft on the Platinum APT group.
“Any of these traits by themselves could be the work of a single resourceful attacker or a small group of like-minded individuals, but the presence of all of them is a clear indication of a well resourced, focused, and disciplined group of attackers vying for information from government related entities.”
(Security Affairs – Platinum APT group, cyber espionage)