GhostEmperor Campaign Targets Asian Countries Abusing Microsoft Vulnerabilities

Cybersecurity researchers have recently disclosed details of the Chinese-based threat actor GhostEmperor who allegedly targeted several south-east Asian countries for more than a year.

According to Kaspersky specialists Mark Lechtik, Aseel Kayal, Paul Rascagneres, and Vasily Berdnikov, all this time, the threat actors attacked governmental entities and telecommunication firms from South Asia using a rootkit which acts as a backdoor to maintain persistence on vulnerable servers.

The rootkit dubbed Demodex had been adapted to work on Windows 10.

The main objective of this backdoor is to conceal artifacts such as documents, registry keys, and network traffic in order to avoid being noticed by forensic experts and prevention systems.

To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named ‘Cheat Engine.

This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.

Source

Source

The hackers used known flaws in -facing server , such as Apache, Windows IIS, Oracle, and , to compromise their targets’ systems.

According to BeleepingComputer, the Chinese-speaking group also uses a

Read More: https://heimdalsecurity.com/blog/ghostemperor-campaign-targets-asian-countries-abusing-microsoft-vulnerabilities/