Analysts from Kaspersky Lab, a security firm, have found out about a new Chinese espionage group that apparently makes use of a rootkit that is compatible with Windows 10 systems, to carry out targeting of high profile accounts in the South East Asian region, since July 2020 at least.
Sophisticated Tools to Attack
Kaspersky has said that the new group, which calls itself GhostEmperor, usually focuses on “gaining and keeping” a long-term access to its victims data, mainly by making use of sophisticated tools. Researchers have revealed that the threat actor managed “to stay under the radar for months,” perhaps by using a rootkit that works even with Windows 10.
GhostEmperor apparently makes use of public-facing servers to gain entry into systems, most notable among them being the Oracle, Apache, and Microsoft Exchange servers. They use it to breach their victim’s perimeter network, finally pivoting to the more sensitive systems inside the network.
The news was first made public at the SAS 2021 security conference held recently, and asserts that the threat actors create back doors into the victim’s networks by making use of a number of different tools and script. The back door allows them to download Cheat Engine, a tool which can introduce cheats into video games (and is frequently used by gamers), and run it.
The tool’s drivers can help bypass the Windows PatchGuard security gateway, opening the path for installing the rootkit into the victim’s Windows operating system. The rootkit has been named “Demodex,” and according to the team, is highly advanced, allowing the group to remain in contact with the victim’s system even in the face of OS reinstalls.
Apparently, that’s not the only trick GhostEmperor had up their sleeves, as Kaspersky has noted that their malware came equipped with a number of “unusual and sophisticated” tools having anti-forensic and anti-analysis properties. This, they believe, made it difficult for security researchers to analyse the rootkit.
Moreover, the espionage group also re-packaged data into fake multimedia formats, in order to modify the communications between infected hosts and their command and control servers. For example, if any security app came across the group’s malware, all they would find would be files classified as JPEG, RIFF, or PNG, and hosted on an Amazon server.
Kaspersky has, without naming any names, claimed that the threat hackers mainly attacked governmental entities and even telecom firms across South East Asia.