PLATINUM Attacks Intel Active Management Technology

In a post on the Windows Security Blog, Microsoft has detailed how a group called PLATINUM has continued to improve their file transfer tool to target organizations in South and Southeast Asia.

PLATINUM is a targeted activity group that will target government organizations, defense institutes, intelligent agencies and telecommunications providers in South and Southeast Asia. The group goes to great lengths to develop covert techniques which will allow them to take on cyber-espionage missions without being noticed.

Microsoft has been examining the group for a while now and they’ve learned their techniques such as hotpatching, which is a way to hide a backdoor that they’ve used to get into systems. By hotpatching, PLATINUM is able to secretly inject malicious code.

In the time that Microsoft has been watching PLATINUM, they’ve learned that the group’s file transfer tool uses Intel Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication. This makes the group’s communications invisible to any firewall or networking monitoring programs.

Since learning that the group is using Intel’s technology, Microsoft has informed Intel and both companies have since collaborated to help analyze what PLATINUM is using their tool for. So far, Microsoft hasn’t found that the group’s tool does not expose any security vulnerabilities in Intel’s AMT SOL but that the group is misusing it to target systems that may have already been compromised. The groups are then able to communicate undetected and not getting noticed by security software.

Microsoft says that only a couple of computers in organizational networks in Southeast Asia have been victim to the group’s tool. They also say that PLATINUM tends to customize their tools based on network configurations of their targets.

The AMT SOL requires access from a network administrator to be able to use since it’s not enabled by default. As of right now, Microsoft is unsure of how the group was able to get access.

Intel’s Active Management Technology (AMT) also allows for devices to remotely access and is a feature on Intel’s vPro processors and chipsets. AMT is running in Intel’s Management Engine (ME), which has its own operating system that it runs on an embedded processor in a chipset. The embedded processor is separate from the main Intel processor and is able to perform tasks when the main processor is off. Some tasks such as remote power-cycling and control of keyboards, mouses, and video.

Intel Active Management Technology (AMT) uses Serial-over-LAN (SOL), which can enable a virtual serial device with a chipset over TCP (Transmission Control Protocol).

SOL can work independently from a device’s operating system and will continue to work as long as the device has a physical connection to a network. All the SOL traffic can bypass a networking stack and isn’t blocked by firewalls. To be able to use SOL, it would require a username and password.

Microsoft says PLATINUM may have gotten a username and password from on their targetted networks. The other option is that whatever system that PLATINUM was targeting, did not have AMT enabled and once PLATINUM gained access, they were able to use AMT.

The SOL protocol in PLATINUM’s file-transfer tool uses the Redirection Library API in the AMT Technology SDK. Data transactions are then executed by calling the IMR_SOLSendText()/IMR_SOLReceiveText(), that will send and receive network calls.

The SOL protocol is virtually identical to the TCP protocol with the addition of a variable-length header on the data to help with errors. The new header is able to detect corruption errors in the data.

Microsoft says that if an attacker has access using AMT and tries to use the SOL communication channel on a device with Windows Defender ATP, machine learning and behavior analytics will be used to spot a targetted attack.

Windows Defender ATP is able to show alerts and is able to distinguish between a legitimate use of AMT SOL and a targeted attack. Microsoft says that PLATINUM’s tool is the first and only malware that misuses features of an Intel chipset.

They also say that the techniques that PLATINUM uses are independent of an operating system and that Windows Defender ATP will be able to detect and let network admins know about unauthorized activity, especially if it’s on a computer with Windows.