Cyberspies abuse Windows Hotpatching system for malware stealth

A cyber espionage group active in South and Southeast Asia has been leveraging a Windows feature known as ‘hotpatching’ in order to better h...

A cyber espionage group active in South and Southeast Asia has been leveraging a Windows feature known as ‘hotpatching’ in order to better hide its malware from security products.

Hotpatching is a feature first shipped by Microsoft with Windows Server 2003 to allow the installation of updates without having to reboot or restart a process. The feature was removed in Windows 8 and later versions, because it was rarely used. During the 12 years support life of Windows Server 2003, only 10 patches used this technique.

Malware researchers from Microsoft have code named the group as ‘Platinum’ and claim its existence since at least 2009.
The group has primarily targeted government organizations, defense institutes, intelligence agencies and telecommunications providers in South and Southeast Asia, especially from Malaysia, Indonesia and China.

The group has gone to great lengths to develop covert techniques that allow them to conduct cyber-espionage campaigns for years without being detected.
To achieve this, it only launches a small number of attack campaigns every year. Its custom malware components have self-deletion capabilities and are designed to run only during the victims' working hours, to hide their activity among regular user traffic.
 So far the group has used spear phishing fraudulent emails that target specific organizations or individuals as its main attack method.
Microsoft’s Windows Defender Advanced Threat Hunting team, known as hunters discovered that the information stolen by the group has been used for indirect economic advantages instead for direct financial gain.

Researchers warned in 2013 that hotpatching, which requires administrator permissions, can be abused for malicious purposes, but Microsoft says this is the first time the technique has been observed in the wild.

The researchers also stated “the group shows traits of being well funded, organized, and focused on information that would be of most use to government bodies."

The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013.

This is the first time that the Microsoft researchers have seen the technique used in the wild by malicious attackers.

Post a Comment Default Comments Disqus Comments


Weather Today!

Read More News

Random Article

Hot in week

Popular Posts