Microsoft's cybercriminal hunters track down elusive 'Platinum' hacking group

Microsoft’s Windows Defender Advanced Threat Hunting team, known as hunters, track down elusive hacking groups that initiate large scale attacks against targets. The hunters just posted details of a thrilling investigation on Microsoft’s threat detection and response blog. The hunters had to use both machine learning and human intuition to track down a group that targets government organisations, defense institutes and intelligence agencies in South and South East Asia. The group was codenamed “Platinum” by the hunters, as per their tradition of naming potential threats after elements in the periodic table. Platinum abused Window’s own update delivery mechanism to compromise target computers. The affected machine ran Windows Server 2003. Machines running Windows 10 cannot be exploited in the same way. The update mechanism was known as hotpatching, and that method is now discontinued. Hotpatching is a way of updating the operating system without requiring a restart. Hotpatches can apply updates to DLLs and executables in actively running processes. More interesting than the attack vector was the Sherlock-like investigation by the Hunter team. Windows collects anonymous data from over a billion devices. Carving is a process of cutting down the data into meaningful and targeted chunks for further analysis. This step involves narrowing down the scope of further machine based processing by choosing data from a particular region or particular types of irregularities in files. This carved data was further processed with threat detection analytics, which yielded a set of 31 suspicious looking files. The final step in the investigation was an eagle eyed hunter spotting an unusual header in one of the files. This was a manual part of the process, and that one unusual header revealed the infection vector of hotpatching by Platinum.