Platinum, the hacker group wich turn Microsoft crazy

The Windows Defender Advanced Threat Hunting group Microsoft is working to try to identify and neutralize a group of hackers who continues to engage in a series of attacks since 2009. The group, called Platinum, he started to claim victims in Southeast Asia around 7 years ago, mainly in Malaysia and Indonesia. About half of the attacks have been directed to NGOs of some kind, including intelligence agencies and defense, and another 25% of the attacks were brought against internet service providers. The goal of these attacks do not appear to have an immediate return in terms liquid and is characterized as a broader economic espionage using stolen information.

Microsoft itself does not seem to know much more about the team that is doing the attacks. The notes information indicates the use of spear-phishing techniques to penetrate the target networks, and the use of special measures to conceal the traces: the Platinum group would use malware with self-cancellation feature, also equipped with attentions to circumvent antivirus and malware that limits network activity only to working hours, making it difficult to identify anomalous traffic.

Over the years they would have been used a number of techniques, including various vulnerabilities 0-day, and a rather interesting, which uses some of the same Windows features: Service Pack 1 of Windows Server 2003 introduced a "hot patching" functionality for some core services of the system. Microsoft issued ten different updates that you have used this feature.

When the updates are installed in a certain way (it is not the standard mode), you can apply your news directly in the system without requiring a reboot. To support this, some versions of Windows include the ability to load a DLL modified to be used to change the active programm. Both the ordinary programs, both the kernel can be updated in this way.

In the 2006 edition during the Black Hat Conference, the security researcher Alex Sotirov gave a presentation in which she described as the hot patching system could also work with small updates to third parties pending the official Microsoft solutions. A more detailed description was offered by Alex Ionescu to SyScan 2013, which stressed how the system could be used by an attacker to change a running system without having to write the malware on disk or compromise DLL, both measures that can be detected by common anti-malware software or even by the user more aware.

Platinum group used this technique in real attacks to better hide their activities. The technique works against Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista and Windows 7, all operating systems that have been found in a series of attacks that occurred in Malaysia during de past months.

The hot patching feature has been removed from Windows 8 and later versions do not support most of the operating system. For the rest it is a technique used infrequently, and and save some restart is certainly not so useful, especially in the face of much more serious safety risks that may result from improper exploitation of the technique.