PLATINUM (cybercrime group)

PLATINUM is the name given by Microsoft to a cybercrime collective active against governments and related organizations in South and Southeast Asia. They are secretive and not much is known about the members of the group. The group's skill means that its attacks sometimes go without detection for many years.

The group, considered an advanced persistent threat, has been active since at least 2009, targeting victims via spear-phishing attacks against government officials' private email addresses, zero-day exploits, and hot-patching vulnerabilities. Upon gaining access to their victims' computers, the group steals economically sensitive information.

PLATINUM succeeded in keeping a low profile until their abuse of the Microsoft Windows hot patching system was detected and publicly reported in April 2016. This hot patching method allows them to use Microsoft's own features to quickly patch, alter files or update an application, without rebooting the system altogether, this way, they can maintain the data they have stolen while masking their identity.

In June 2017, PLATINUM became notable for exploiting the serial over LAN (SOL) capabilities of Intel's Active Management Technology to perform data exfiltration.

PLATINUM's techniques
Once in control of a target's computer, PLATINUM actors can move through the target's network using specially built malware modules. These have either been written by one of the multiple teams working under the Platinum group umbrella, or they could have been sold through any number of outside sources that Platinum has been dealing with since 2009.

Because of the diversity of this malware, the versions of which have little code in common, Microsoft's investigators have taxonomised it into families.

The piece of malware most widely used by PLATINUM was nicknamed Dispind by Microsoft. This piece of malware can install a keylogger, a piece of software that records (and may also be able to inject) keystrokes.

PLATINUM also uses other malware like "JPIN" which installs itself into the %appdata% folder of a computer so that it can obtain information, load a keylogger, download files and updates, and perform other tasks like extracting files that could contain sensitive information.

"Adbupd" is another malware program utilised by PLATINUM, and is similar to the two previously mentioned. It is known for its ability to support plugins, so it can be specialised, making it versatile enough to adapt to various protection mechanisms.

Intel Exploit
In 2017, Microsoft reported that PLATINUM had begun to exploit a feature of Intel CPUs. The feature in question is Intel's AMT Serial-over-LAN (SOL), which allows a user to remotely control another computer, bypassing the host operating system of the target, including firewalls and monitoring tools within the host operating system.

Security
Microsoft advises users to apply all of their security updates to minimize vulnerabilities and to keep highly sensitive data out of large networks. Because PLATINUM targets organizations, companies and government branches to acquire trade secrets, anyone working in or with such organizations can be a target for the group.