GhostEmperor Operation Employs Unknown Malware To Target High-profile Organizations
Chinese-speaking APT Dubbed GhostEmperor Employs Microsoft Exchange Bugs in Its Campaigns.
A new report shows that in Q2, 2021 the threat environment experienced major growth in cyberattacks against Microsoft Exchange servers.
According to the report, the Chinese-speaking APT GhostEmperor took advantage of Microsoft Exchange flaws in order to attack high-profile entities with an advanced toolkit that had been functional from as early as July 2020.
The ongoing campaign performed by this hacking threat actor mostly targeted Southeast Asia-based organizations, including various government entities and telecommunications businesses.
The report indicates that the operation used a previously unfamiliar Windows kernel-mode rootkit and an advanced multi-stage malware framework meant to provide remote control over the damaged servers.
Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine. This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors.
The cybersecurity provider spotted the GhostEmperor campaign while looking into several operations targeting Microsoft Exchange servers. Security experts state that the GhostEmperor Advanced Persistent Threat (APT) is a brand new danger as it doesn’t act like any other known threats.
David Emm, a security expert at Kaspersky declared:
As detection and protection techniques evolve, so do APT actors. They typically refresh and update their toolsets.
GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.
The cybersecurity organization’s report reminds us once again that advanced threat actors will continue to adapt and evolve, change their strategies, invest in their toolsets, and launch new waves of activity.