A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.
About the attack campaign
GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.
- The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
- Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers.
- Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.
How do they operate?
After gaining access to the targeted systems, the attackers have used a mix of custom and open-source offensive toolsets to gather user credentials and target other systems in the network.
- The group evades the Windows Driver Signature Enforcement by using an undocumented loading scheme using the kernel-mode component of Cheat Engine (an open-source project).
- GhostEmperor has used obfuscation and anti-analysis tactics to make it challenging for analysts to examine the malware.
Use of post-exploitation tools
- The used tools include common utilities developed by the Sysinternals suite for controlling processes (PsExec, ProcDump, and PsList), along with BITSAdmin, CertUtil, and WinRAR.
- Furthermore, the attackers used open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat_ssp as well. For internal network reconnaissance/communication they used Powercat/NBTscan.
Conclusion
The use of anti-forensic techniques and a wide variety of toolsets indicate that the GhostEmperor group possesses sound knowledge of and access to advanced infrastructure to operate. To stay protected, organizations are recommended to implement multi-layered security architecture of reliable anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS).
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_472540654.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_378801814.jpg)
