A hackers group called Platinum used Intel`s Active Management Technology (AMT) Serial-over-LAN (SOL) to cover communications from the firewall.
Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them.
Serial Over LAN (SOL) is a mechanism that allows the input and output of the serial port of a managed system to be redirected over IP.
Security researchers from Microsoft have discovered that the Platinum attackers group has started using AMT to transfer data and make the communications invisible, so they can bypass the firewall and network monitoring products.
Microsoft said:
“We confirmed that the tool did not expose vulnerabilities in the management technology itself, but rather misused AMT SOL within target networks that have already been compromised to keep communication stealthy and evade security applications.”
“The new SOL protocol within the PLATINUM file-transfer tool makes use of the AMT Technology SDK’s Redirection Library API (imrsdk.dll). Data transactions are performed by the calls IMR_SOLSendText()/IMR_SOLReceiveText(), which are analogous to networking send() and recv() calls. The SOL protocol used is identical to the TCP protocol other than the addition of a variable-length header on the data for error detection. Also, the updated client sends an unencrypted packet with the content “007″ before authentication.”
The following video explains how the tool can be used to transfer malware to a computer with AMT provisioned:
