[TheRecord] Chinese espionage group deploys new rootkit compatible with Windows 10 systems

At the SAS 2021 security conference today, analysts from security firm Kaspersky Lab have published details about a new Chinese cyber-espionage group that has been targeting high-profile entities across South East Asia since at least July 2020.

Named GhostEmperor, Kaspersky said the group uses highly sophisticated tools and is often focused on gaining and keeping long-term access to its victims through the use of a powerful rootkit that can even work on the latest versions of Windows 10 operating systems.

“We observed that the underlying actor managed to remain under the radar for months,” Kaspersky researchers explained today.

The entry point for GhostEmperor’s hacks were public-facing servers. Kaspersky believes the group used exploits for Apache, Oracle, and Microsoft Exchange servers to breach a target’s perimeter network and then pivoted to more sensitive systems inside the victim’s network.

According to a technical report [PDF] released during the conference today, GhostEmperor used an assortment of different scripts and tools to deploy backdoors inside a victim’s network.

Image: Kaspersky

This backdoor (an in-memory implant) was then used to download and run Cheat Engine, a tool used by online gamers to introduce cheats in their favorite video games.

Kaspersky said GhostEmperor used Cheat Engine’s powerful drivers to bypass the Windows PatchGuard security feature and install a rootkit inside the victim’s Windows OS.

Called Demodex, researchers said the rootkit was extremely advanced and allowed the group to maintain access to the victim’s device even after OS reinstalls and even on systems running recent versions of the Windows 10 OS.

Image: Kaspersky

But this wasn’t GhostEmperor’s only trick. Kaspersky also noted that the group’s malware was full of “a broad set of unusual and sophisticated anti-forensic and anti-analysis techniques” that tried to prevent or hinder security researchers trying to analyze their malware.

In addition, GhostEmperor used another clever trick that consisted in modifying the communications between infected hosts to its command and control servers by re-packaging data as fake multimedia formats.

Security apps that spotted traffic from GhostEmperor’s malware would have normally classified it as RIFF, JPEG, or PNG files hosted on an Amazon server, researchers explained.

While Kaspersky did not reveal the name of the group’s targets, they said GhostEmperor went after governmental entities and telecommunication companies across South East Asia (Malaysia, Thailand, Vietnam, and Indonesia), with outliers in Egypt, Afghanistan, and Ethiopia.

The post Chinese espionage group deploys new rootkit compatible with Windows 10 systems appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2022-01-07

The JNDI Strikes Back Unauthenticated RCE in H2 Database Console jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/ Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading). Although this […]

Read More

[SANS ISC] Please fix your E-Mail Brute forcing tool!, (Wed, Oct 13th)

All posts, Sans-ISC

Recently, I am seeing a lot of identical failed login attempts against my mail server. Just today, about 130,000 of them. The vast majority (124k+) come from one subnet: 31.130.184.0/24 inetnum:        31.130.176.0 – 31.130.191.255 mnt-domains:    RER-MNT netname:        RoshangaranErtebatatRayaneh country:        IR org:         […]

Read More

[SecurityWeek] Google Warns of Exploited Zero-Days in Chrome Browser

All posts, Security Week

Google has joined the list of major software providers scrambling to respond to zero-day exploits in the wild. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.