Cybersecurity researchers have recently disclosed details of the Chinese-based threat actor GhostEmperor who allegedly targeted several south-east Asian countries for more than a year.
According to Kaspersky specialists Mark Lechtik, Aseel Kayal, Paul Rascagneres, and Vasily Berdnikov, all this time, the threat actors attacked governmental entities and telecommunication firms from South Asia using a rootkit which acts as a backdoor to maintain persistence on vulnerable servers.
The rootkit dubbed Demodex had been adapted to work on Windows 10.
The main objective of this backdoor is to conceal malware artifacts such as documents, registry keys, and network traffic in order to avoid being noticed by forensic experts and prevention systems.
To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named ‘Cheat Engine.
This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.
The hackers used known flaws in Internet-facing server software, such as Apache, Windows IIS, Oracle, and Microsoft Exchange, to compromise their targets’ systems.
According to BeleepingComputer, the Chinese-speaking hacking group also uses a