Gang used Microsoft 'hotpatching' to hide activities

By on
Gang used Microsoft 'hotpatching' to hide activities

A group of cybercriminals, code-named PLATINUM by Microsoft's Windows Defender Advanced Threat Hunting Team, has “gone to great lengths” over many years “to develop covert techniques” so their cyber-espionage campaigns will evade detection, even using Windows' support for “hotpatching” against it, according to a blog post.

Although details about the PLATINUM team itself are scarce, Microsoft's threat hunters have learned a great deal about the techniques the group has used to exploit zero-day vulnerabilities as well as evasive measures such as using self-deleting malware.

The cybergang primarily aims its attacks at government organisations, defense groups, intelligence agencies, and telecommunication providers located in South and Southeast Asia, Microsoft said.

The Microsoft team found that PLATINUM was actively engaged in the malicious use of hotpatching, “a previously supported OS feature for installing updates without having to reboot or restart a process,” they wrote.

Microsoft introduced support for hotpatch with Windows Server 2003. A hotpatcher does require admin-level permissions to “transparently apply patches to executables and DLLs in actively running processes.”

PLATINUM abused hotpatching to camouflage their backdoor so it couldn't be detected by the behavioral sensors included in many host security solutions. “We first observed a sample employing the hotpatching technique on a machine in Malaysia,” the threat hunters noted. “This allowed PLATINUM to gain persistent access to the networks of companies it targeted and victimised over a long period without being detected.”

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Will Coronavirus impact the channel?
Yes - By making it harder to order hardware
Yes - Cancelled conferences and business trips will be widespread
Not directly - It will slow the economy and that may have an impact
No - We can't see any impact
Not negatively - It's already created demand for things like remote access
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?