Malware uses a feature of Intel processors to steal data and prevent firewalls

Microsoft's security team has discovered a new malware that takes advantage of Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Due to Intel AMT SOL technology running, SOL interface traffic bypasses local computer networks, so locally installed firewalls or security products cannot detect or block malware while sending data abroad.

Intel AMT SOL exposes a hidden network interface

This appears to be possible because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor built into Intel's CPUs, and running its own operating system.

Intel ME runs even when the main processor is off, and while this feature may seem odd, Intel incorporated it to provide remote management capabilities to companies managing large networks of hundreds of computers.

However, the good news is that the Intel AMT SOL interface is disabled by default on all Intel CPUs, so the PC owner or local system administrator has to manually enable this feature. However, Microsoft has discovered malware created by a cyber-espionage group that takes advantage of the interface to steal data from infected computers.

Microsoft did not reveal whether hackers, belonging to a group known as PLATINUM, have found a secret way to enable this feature on infected computers, or if they simply found it active and decided to use it.

Given these facts, Microsoft said that it was able to identify the malware's operation and released an update for Windows Defender ATP in order to detect it before it gains access to the AMT SOL interface.