A cyber espionage group active in South and Southeast Asia has
been leveraging a Windows feature known as ‘hotpatching’ in order to better
hide its malware from security products.
Hotpatching is a feature first shipped by Microsoft with
Windows Server 2003 to allow the installation of updates without having to
reboot or restart a process. The feature was removed in Windows 8 and later
versions, because it was rarely used. During the 12 years support life of
Windows Server 2003, only 10 patches used this technique.
Malware researchers from Microsoft have code named the group
as ‘Platinum’ and claim its existence since at least 2009.
The group has primarily targeted government organizations,
defense institutes, intelligence agencies and telecommunications providers in
South and Southeast Asia, especially from Malaysia, Indonesia and China.
The group has gone to great lengths to develop covert
techniques that allow them to conduct cyber-espionage campaigns for years
without being detected.
To achieve this, it only launches a small number of attack
campaigns every year. Its custom malware components have self-deletion
capabilities and are designed to run only during the victims' working hours, to
hide their activity among regular user traffic.
So far the group has
used spear phishing fraudulent emails that target specific organizations or
individuals as its main attack method.
Microsoft’s Windows Defender Advanced Threat Hunting team,
known as hunters discovered that the information stolen by the group has been
used for indirect economic advantages instead for direct financial gain.
Researchers warned in 2013 that hotpatching, which requires
administrator permissions, can be abused for malicious purposes, but Microsoft
says this is the first time the technique has been observed in the wild.
The researchers also stated “the group shows traits of being
well funded, organized, and focused on information that would be of most use to
government bodies."
The potential use of hotpatching as a stealth way to inject
malicious code into running processes was described by security researcher Alex
Ionescu at the SyScan security conference in 2013.
This is the first time that the Microsoft researchers have
seen the technique used in the wild by malicious attackers.