Security researchers at Kaspersky detected a new Chinese-speaking threat actor that’s targeting Microsoft Exchange flaws. The actor, tracked as GhostEmperor, is focusing on high-profile victims.
The group is unique because it uses an unknown Windows kernel-mode rootkit to infiltrate servers and provide remote control access to attackers.
Kaspersky says the group has been operating for a long time and mainly targeted various entities in Southeast Asia. Among them were government entities and telecom companies.
GhostEmperor uses a unique loading scheme that uses an open-source component to allow attackers to bypass the Windows Driver Enforcement mechanism.
“To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named ‘Cheat Engine’,” reads the announcement published by Kaspersky.
“This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.”
The toolset cluster analyzed by Kaspersky also used a multi-stage malware framework that provided remote control over the infected servers.
This year, multiple threat groups were targeting Microsoft Exchange vulnerabilities, though the GhostEmperor operation has no overlap with the others, researchers said.
David Emm, security expert at Kasperskys, commented that as protection techniques and detection methods evolve, so do the actors’ toolsets.
“GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” said David Emm, security expert at Kaspersky.
To learn more about GhostEmperor and related Indicators of Compromise (IoC) data and YARA rules for mitigation, read the APT trends report Q2 2021 on Securelist. It summarizes Kaspersky’s findings from otherwise subscriber-only threat intelligence reports.