Windows Hotfix System Used to Install Malware

When it comes to antivirus software, we often think of the big independent companies such as Symantec and McAfee at the cost of forgetting built in anti-virus like that provided by Windows Defender. It would now seem that the Microsoft Window’s Defender Advanced Threat Hunting team has found a group of hackers who used Window’s own hotfix system against their targets.

The team wrote about a group they have started to call PLATINUM. The recent focus has been on groups that have selective targets and unfamiliar patterns, both features which make their malware hard to detect. PLATINUM’s targets were South East Asia companies, with a large amount of their targets being based in Malaysia.

Over half of the attacks were aimed at government organisations and even internet service providers, but rather than the traditional financial gain that these hacks come with but instead seem to be focused on economic espionage.

PLATINUM has used everything from self-deleting malware to malware that restricts its network traffic, limiting its interactions using certain times and dates to transmit its data. In their attempts to track down and identify the group one of Windows own systems were used to install the malware. In order to ensure its software is up to date, Windows has a hotfix solution, enabling the dynamic installation of malware on everything from Windows server 2003 to Windows 7.

The hotfix ability was removed in Windows 8 and subsequent OS’s stating that the few reboots the hotfix ability prevented weren’t worth the risk that it exposes.