Microsoft’s Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are the most selective about their targets and that work the hardest to stay undetected. The company wrote today about one particular group that it has named PLATINUM.
The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim, with just over half the attacks, and Indonesia in second place. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren’t after credit cards and banking details—but rather broader economic espionage using stolen information.
Microsoft doesn’t appear to know a great deal about the team doing the hacking. The team has often used spear-phishing to initially penetrate target networks and seems to have taken great pains to hide its attacks. For example, it has used self-deleting malware to cover its tracks, customized malware to evade anti-virus detection, and malware that limits its network activity to only be active during business hours, so its traffic is harder to notice. Redmond suggests that the adversary is likely a government organization of some kind, due to its organization and the kinds of data it has sought to steal.
The hackers have used many techniques over the years, with numerous 0-day vulnerabilities being exploited to penetrate victims’ systems and spread through their networks. Microsoft has a long writeup describing these techniques. One technique in particular is interesting, since it uses Windows’ own capabilities against itself.
Windows Server 2003 Service Pack 1 introduced support for hot patching certain core system services. Microsoft released ten different updates for the operating system that used this capability. When the updates were installed a particular way (it wasn’t the default), the update would patch the running system to insert the new, updated code into a server without creating the need to reboot the server. To support this hot patching, certain versions of Windows include the ability to load a patch DLL and use this DLL to modify running programs. Both regular programs and the kernel can be patched in this way.
In 2006, Alex Sotirov gave a presentation at Black Hat that briefly described how Windows’ hot patching worked in the context of a description of how third parties had offered some quick patches for Windows flaws while waiting for Microsoft’s official fixes. A more thorough description was given by Alex Ionescu at SyScan 2013. Ionescu’s talk wasn’t just about how hot patching was implemented but described ways that attackers could use it to modify running systems to inject malware without having to write the malware to disk or inject DLLs, both of which are visible to anti-malware software and humans alike.
The PLATINUM group used this technique, which can work against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7, in real-world attacks to better hide its efforts from analysis. This operating-system-provided hot patching was found in malware attacking systems in Malaysia earlier this year.
The hot patching capability was removed in Windows 8, and subsequent versions of the operating system do not support it. It wasn’t often used, and saving a few reboots is arguably not that useful, especially if it means handing hackers a convenient tool for attacking running systems. Nonetheless, an attack that uses a well-intentioned operating system to evade detection is a relative novelty.
Microsoft’s hunt for PLATINUM is still ongoing.