Microsoft hunters track down cybercriminals group of hackers difficult to achieve 'Platinum'

Team advanced threat Caza Microsoft Windows Defender, known as hunters, tracking down elusive groups of hackers who start large-scale attacks against targets. Hunters just released details of an exciting research in the detection and response to the threat Microsoft's blog. Hunters had to use both machine learning and human intuition to locate a group that targets government organizations, institutes of defense and intelligence agencies in South and Southeast Asia.

The group was the codename "Platinum" by hunters, and its tradition of naming potential threats after the elements in the periodic table. Platinum abused own delivery mechanism window update to engage the target computers. The affected machine running Windows Server 2003. Computers running Windows 10 they can not be exploited in the same way. The update mechanism is known as hotpatching, and that the method is left. Hotpatching is a way to upgrade the operating system without rebooting. Hotpatches can apply changes to the DLL and executable processes running actively files.

More interesting than the attack vector was the investigation of Sherlock-like Hunter team. Windows collects anonymous more than one billion devices data. Carving is a process of logging data into meaningful and specific parts for further analysis. This step is to reduce the scope of further processing on the basis of the machine by choosing data from a particular region or particular types of irregularities in the archives.

These data were processed more carved with threat detection analysis, resulting in a set of 31 suspicious looking files. The final step in the investigation was a hunter eagle eyes spotted an unusual head in one of the files. This was a manual part of the process, and revealed an unusual head vector infection hotpatching by Platinum.