Hothacking: an obscure Windows feature as an APT weapon

A new APT group is seen to have been exploiting hotpatching, a now-deprecated feature in Windows operating systems, to carry out their attacks.

Threatpost reported on a new APT group codenamed Platinum, which was seen exploiting hotpatching, a now-deprecated feature in Windows operating systems, to conduct their attacks.

An obscure feature

Hotpatching is a feature introduced in Windows Server 2003, and dropped with Windows 8. This feature is deemed more or less “obscure”: while essentially it is rather important and interesting – hotpatching allows the dynamic updating of system components without the need to reboot the computer – it was so rarely used that eventually Microsoft decided to remove it.

Between Windows 2003 and Windows 8 it was all there; It would fair to say it is all there, as it is present in now-dominant Windows 7 OS.

Security researchers warned that there was definite potential for abuse: it was possible for attackers to inject malicious code into running processes without having to reboot the server. This proved to be true. Hotpatching, however, does require admin privileges, so the attackers have to be “on the box” already to make use of this technique.

But for Platinum malefactors this seemed to be not a problem at all: they extensively – and efficiently – used various tricks to push through. The primary tool was (and is) narrowly targeted spear phishng campaigns, using malicious Office docs that exploited previously unpatched vulnerabilities and downloaded backdoors and other code to compromised machines.

The group exploited at least four zerodays – those have been patched by Microsoft in late April.

The group used a number of various backdoors with varying degrees of capabilities (ranging from the theft of intellectual property, to fingerprinting system and browser information before additional attacks are launched) and custom malware components, some of which were equipped with self-deletion functions to cover tracks.

Few but serious

In all fairness, there were just a few attacks so far, but all of them were rather high profile, which means that Platinum APT is a highly specialized group.

It was active in South and Southeast Asia, focusing primarily on government interests, including agencies, defense organizations, intelligence agencies, diplomats and telecommunications companies. Although active since at least 2009, Platinum APT conduct just a few attacks per year to stay out of sight. They seemed to be very good at this for awhile.

However, February’s attack on a government news website in India exposed them.

In its report, Microsoft said that in some cases several 0day exploits were used during the attacks on the same target – an activity that requires a significant amount of investment in R&D. This most likely means that Platinum is a highly specialized group, motivated and disciplined enough to ensure that no custom malware and/or exploits leak outside until they are deployed.

Course of counter-action

Platinum APT may be a highly specialized team with a short list of interests and a closely guarded toolset. However, since the information of the patched zero days have been published, it probably it won’t take long for other attack groups to figure out how to exploit those vulnerabilities. This immediately makes the list of possible targets much, much longer.

It is highly recommended to pay attention to those vulnerabilities and keep systems up-to-date. In fact, it is not the Hotpatching function which poses the primary threat, but software flaws. The gullibility of endpoint users: social engineering, well-crafted spearphishing campaigns, – all of these are common vectors of initial compromise. The only way to counter them is to educate employees on what is phishing, how it works and how not to fall victim to it.

And, of course, a robust security solution capable of providing multi-layered defense against known and unknown threats should be in place.

Tips