Heimdal
article featured image

Contents:

Cybersecurity researchers have recently disclosed details of the Chinese-based threat actor GhostEmperor who allegedly targeted several south-east Asian countries for more than a year.

According to Kaspersky specialists Mark Lechtik, Aseel Kayal, Paul Rascagneres, and Vasily Berdnikov, all this time, the threat actors attacked governmental entities and telecommunication firms from South Asia using a rootkit which acts as a backdoor to maintain persistence on vulnerable servers.

The rootkit dubbed Demodex had been adapted to work on Windows 10.

The main objective of this backdoor is to conceal malware artifacts such as documents, registry keys, and network traffic in order to avoid being noticed by forensic experts and prevention systems.

To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named ‘Cheat Engine.

This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.

Source

GhostEmperor infection chain

Source

The hackers used known flaws in Internet-facing server software, such as Apache, Windows IIS, Oracle, and Microsoft Exchange, to compromise their targets’ systems.

According to BeleepingComputer, the Chinese-speaking hacking group also uses a “sophisticated multi-stage malware framework” that enables the cybercriminals having remote control over the impacted machines to provide remote control over the affected systems.

GhostEmperor’s Victims

Among the countries targeted by the GhostEmperor group were Vietnam, Malaysia, Thailand, and Indonesia. In addition, according to the researchers, countries such as Egypt, Ethiopia, and Afghanistan were also on the threat actors’ list.

They noticed that the last three had strong connections to south-east Asian countries.

We observed that the underlying actor managed to remain under the radar for months, all the while demonstrating a finesse when it came to developing the malicious toolkit, a profound understanding of an investigator’s mindset, and the ability to counter forensic analysis in various ways.

The attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver.

This suggests that rootkits still need to be taken into account as a TTP during investigations and that advanced threat actors, such as the one behind GhostEmperor, are willing to continue making use of them in future campaigns.

Source

In Kaspersky’s analysis and article, you can find more information about the techniques used by GhostEmperor and the newly discovered rootkit Demodex.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE