A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.
About the attack campaign
GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.
The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers.
Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.
How do they operate?
After gaining access to the targeted systems, the attackers have used a mix of custom and open-source offensive toolsets to gather user credentials and target other systems in the network.
The group evades the Windows Driver Signature Enforcement by using an undocumented loading scheme using the kernel-mode component of Cheat Engine (an open-source project).
GhostEmperor has used obfuscation and anti-analysis tactics to make it challenging for analysts to examine the malware.
Use of post-exploitation tools
The used tools include common utilities developed by the Sysinternals suite for controlling processes (PsExec, ProcDump, and PsList), along with BITSAdmin, CertUtil, and WinRAR.
Furthermore, the attackers used open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat_ssp as well. For internal network reconnaissance/communication they used Powercat/NBTscan.
Conclusion
The use of anti-forensic techniques and a wide variety of toolsets indicate that the GhostEmperor group possesses sound knowledge of and access to advanced infrastructure to operate. To stay protected, organizations are recommended to implement multi-layered security architecture of reliable anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS).