28 Apr 2016

Microsoft Discovers Platinum APT Targeting Southeast Asian Countries

 Countries and organizations targeted by the Platinum APT


Yesterday, The Windows Defender Advanced Threat Hunting team revealed the existence of a new APT (Advanced Persistent Threat) group that has been targeting countries in Southeast Asia since 2009.
Dubbed Platinum, following Microsoft's tradition of naming APT groups after chemical elements, the group distinguishes itself among similar cyber-espionage groups thanks to a novel technique called hotpatching.
What is Windows hotpatching?
Hotpatching allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.
The feature was introduced in Windows Server 2003 and later removed in Windows 8, after Microsoft realized its error.
No attacks have ever been recorded using this technique until now, but security researchers have proven its lethal capabilities at various security conferences.
Hotpatching used to avoid antivirus detection, push backdoors
According to a comprehensive report released on the Platinum APT, Microsoft says the group used the hotpatching technique to install and later conceal backdoors and other malware from a victim's antivirus solutions.
Due to its nature and design, hotpatching is not kept under a close eye by security products. This allowed the Platinum APT to push malicious updates to infected targets, neutering various features and allowing threat actors access to sensitive computers.
Microsoft says that it detected the Platinum group using this technique to install the Dipsing, Adbupd and JPIN backdoors on networks belonging to governmental organizations, defense institutes, intelligence agencies, and telecommunication providers.
Most of these targets are located in Southeast Asia, in countries such as Malaysia, Indonesia, China, and India, where the most recent attack took place.

 

Hotpatching operations need administrator-level permissions
Microsoft says that the group is still active and that there's still a way for companies to avoid infection. The company's security experts explain that hotpatching operations need to run from under an admin user, which means Platinum threat actors first have to infect each target.
In its report, Microsoft adds that the group has been doing this by sending spear-phishing emails that come with boobytrapped Office documents.
These documents, when opened, employ well-known vulnerabilities or never-before-seen zero-day exploits to infect computers with malware that gains admin privileges and later runs a malicious hotpatching operation.
"The monetary investment required to collect and deploy zero-day exploits at this level is considerable," Microsoft notes in its report, hinting at the fact that the group might be sponsored by a large criminal organization or a state actor.
Hotpatching, as a technique in general, is not exclusive to Windows machines. Crooks used hotpatching tools this past autumn and winter to push malicious updates to iOS apps, bypassing Apple's App Store review process.