A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.

About the attack campaign

GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.
  • The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
  • Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers. 
  • Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.

How do they operate?

After gaining access to the targeted systems, the attackers have used a mix of custom and open-source offensive toolsets to gather user credentials and target other systems in the network. 
  • The group evades the Windows Driver Signature Enforcement by using an undocumented loading scheme using the kernel-mode component of Cheat Engine (an open-source project).
  • GhostEmperor has used obfuscation and anti-analysis tactics to make it challenging for analysts to examine the malware.

Use of post-exploitation tools

  • The used tools include common utilities developed by the Sysinternals suite for controlling processes (PsExec, ProcDump, and PsList), along with BITSAdmin, CertUtil, and WinRAR. 
  • Furthermore, the attackers used open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat_ssp as well. For internal network reconnaissance/communication they used Powercat/NBTscan.

Conclusion

The use of anti-forensic techniques and a wide variety of toolsets indicate that the GhostEmperor group possesses sound knowledge of and access to advanced infrastructure to operate. To stay protected, organizations are recommended to implement multi-layered security architecture of reliable anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS). 
Cyware Publisher

Publisher

Cyware