June 12, 2017
Shah Sheikh (1294 articles)


A cyber-espionage group known as “Platinum” that has been targeting governmental organizations, defense institutes, and telecommunication providers since 2009, has a found a way to hide its malicious activities from host-based protection mechanisms. The activities of the group were first detected and exposed by Microsoft, when they were leveraging a Windows feature called hotpatching for attacks against governmental institutions in South and Southeast Asia.

Microsoft recently discovered that the group is now using Intel’s Active Management Technology (AMT) Serial-Over-LAN (SOL) channel as a file-transfer tool to steal data from its target.

Intel’s AMT, allows users to remotely manage a system regardless of its power state and whether it has an operating system. The SOL feature provides a virtual serial port that works all the time. A management console system can connect to this port, boot to the basic DOS system and communicate with the software that listens to the designated COM port. Intel chips come embedded with AMT that allows administrators to remotely manage and repair PCs, workstations and servers of their organizations.

AMT SOL component stack

AMT SOL component stack

For the attack to work, the targeted PC only needs to be connected to a power line and a network cable which means when AMT is enabled, any packet sent to the PCs port will be directed towards the Management Engine and will move on to the AMT.

Linux systems with Intel’s chip and that have AMT enabled can also be exposed to Platinum’s malware.
Platinum does not exploit the flaw in AMT but only needs it to be enabled on the targeted PC. This allows the file transfer tool to be stealthy and allowing it to evade some security products.

Microsoft Windows Defender Advanced Threat Protection product can detect malicious usage of the SOL feature but this feature only helps those that have a Windows operating system.

Intel has also published a mitigation guide that can be found at: