Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:01 PM
Connect Directly

Hacker Group Exploits 'Hot Patching' In Windows To Cloak Cyber Espionage

Group called Platinum employs spear phishing and malicious use of hot patching to steal information from government agencies in Asia.

A cyber espionage group is using an advanced persistent threat technique that exploits an obscure Windows OS feature known as “hot patching” to cloak backdoors they have created in targeted systems and networks of government agencies and telecommunications companies in Asia and Southeast Asia, according to Microsoft.

The group, called Platinum by Microsoft researchers, has gained persistent access to the networks of companies it targeted and victimized over a long period without being detected. Spear phishing is the primary way the group gains initial network access, targeting an individual’s personal account as a way to get inside corporate networks.

Spear phishing and the malicious use of hot patching appear to have been quite effective and, until now, enabled Platinum to go undetected. Microsoft research suggests that Platinum has been targeting its victims since at least as early as 2009.

Hot patching is a previously supported OS feature -- originally shipped with Windows Server 2003 --for installing updates without having to reboot or restart a process. It requires administrator-level permissions.  At a high level, a hot patcher can transparently apply patches to executables and Dynamic Link Libraries in actively running processes, according to researchers with Microsoft’s Windows Defender Advanced Threat Hunting Team, who discovered the threat.

“Platinum was able to abuse this feature to hide their backdoor from the behavioral sensors of many host security products. We first observed a sample employing the hot patching technique on a machine in Malaysia,” Microsoft security researchers, write in a blog.  “This allowed Platinum to gain persistent access to the networks of companies it targeted and victimized over a long period without being detected.”

Hot patching removed in Windows 8

The hot patching feature was removed in Windows 8 and has not been included in subsequent releases of Windows. Platinum, though, appears to believe that enough of their targeted users will continue to run the earlier versions of Windows to make the technique a useful tool, at least until early 2017, researchers say.

The technique Platinum uses to inject code via hot patching was first documented by security researcher Alex Ionescu in 2013. Administrator permissions are required for hot patching, and the technique used by Platinum does not attempt to evade this requirement through exploitation.

Platinum typically sends malicious documents that contain exploits for vulnerabilities in various software programs, with links or remotely loaded components such as images or scripts or templates that are delivered to targets only once, according to Microsoft researchers.

For instance, “in February 2016, Platinum was observed using a legitimate website dedicated to news about the Indian government, as an infection vector. This site, which is not associated with the Indian government itself, also provides a free email service for its users, giving them email addresses with the site’s own domain name. Platinum sent spear phishing messages to users of the service, which included some Indian government officials.”

After infecting an unsuspecting user this way, the attackers had complete control of the user’s computer and used it as a stepping stone into the official network to which the user belonged, researchers say.

Looking for government IP

Platinum, which appears to be well-funded, seeks to steal sensitive intellectual property related to government interests.  Its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. “The group’s persient use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat,” researchers say.

The Microsoft researchers have developed attacker profiles on these advanced persistent attackers that includes distinctive behavior, signatures, geography, and victimology.

To reduce the likelihood of Platinum conducting successful attacks against employees and networks, Microsoft researchers advise organizations to:

  • Take advantage of native mitigations built into Windows 10;
  • Apply all security updates as soon as they become available;
  • Conduct enterprise software security awareness training and build awareness of malware prevention;
  • Institute a strong network firewall and proxy; and
  • Make sure all Internet-facing assets are running the latest applications and security up-dates.

Related content:


Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Rutrell Yasin has more than 30 years of experience writing about the application of information technology in business and government. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.