Chinese attackers use new rootkit in long-running campaign against Windows 10 systems
Hitherto unknown but highly skilled Chinese cyberespionage group uses sophisticated malware to attack government and private entities in Southeast Asia in long-running campaign targeting systems running the latest versions of Windows 10 from Microsoft.
The group – which Kaspersky Lab researchers call GhostEmporer – uses a multi-stage malware framework designed to give attackers remote control over targeted servers. At the same time, GhostEmperor uses the rootkit – which they named Demodex – as a backdoor into servers to help malware evade detection and ensure long-lasting operation on infected machines.
Kaspersky researchers first wrote about GhostEmperor in July and launched another blog this week.
“With a long-standing operation, high profile victims, an advanced toolset and no affinity with a known threat actor, we decided to nickname the underlying cluster GhostEmperor,” they wrote in the latest blog post. . “Our investigation of this activity leads us to believe that the underlying actor is highly skilled and accomplished in his craft, which is evident through the use of a wide range of unusual anti-legal and anti-analysis techniques. and sophisticated. “
Rootkit uses a cheat engine scanner
The Demodex rootkit is used to hide malware artifacts from investigators and security products. It includes an undocumented load scheme involving the kernel-mode component of an open source project named Cheat Engine to bypass the driver signature enforcement mechanism in Windows, they wrote. Cheat Engine is a memory scanner and debugger developed for Windows that has been used to help users evade detection.
“This tool is quite advanced because it bypasses security features designed to prevent loading unsigned device drivers,” said Jake Williams, co-founder and CTO of incident response solutions provider BreachQuest. ESecurity planet. “It does this using a legitimate tool designed to help online game players cheat. [Cheat Engine]. Although this tool itself is digitally signed and non-malicious, it has no place in the vast majority of environments.
Organizations should audit their configured services and monitor event logs for the creation and modification of services to detect the creation of the service loading the legitimate – but unexpected Cheat Engine driver, which is critical to the chain of infection, has Williams said.
The attacks began in mid-2020
While investigating attacks on Microsoft Exchange servers recently, Kaspersky researchers found what they called a recurring cluster of activity across several compromised networks that stood out due to the use of the rootkit until now. -there unknown. They were able to determine that the toolkit had been in use as early as July 2020 and that the attacks were focused primarily on Southeast Asia – including Indonesia, Malaysia, Thailand and Vietnam – although ‘There were other casualties in Egypt, Afghanistan and Ethiopia, including several government agencies and telecommunications companies.
While most of the victims were in Southeast Asia, some of the organizations in other regions had strong ties to countries in Asia, which the researchers interpreted to mean that the attackers may have used these other infections in countries in which they have a geopolitical interest. .
GhostEmperor used multiple attack routes in the systems which resulted in the malware executing in memory. The group exploited known vulnerabilities in publicly available server software, such as Apache, Windows IIS, Microsoft Exchange and Oracle. One of the infections on an Exchange server occurred on March 4, two days after Microsoft released the patch for the high-profile ProxyLogon vulnerability.
“It is possible that attackers exploited this vulnerability to allow them to execute code remotely on vulnerable Exchange servers,” the researchers wrote.
Suspected Chinese threat actor
They determined that the campaign was led by an unknown Chinese-speaking threatening actor due to the use of open source tools such as Ladon and Mimikat_ssp, which they believe are popular with cybercriminals in the region. There were other flags as well, including the version information found in the resources section of the second stage loader binaries that included a legal mark field with a Chinese character.
Using these sophisticated malware techniques indicates that cybercriminals have put a lot of effort into assembling the malicious toolkit to avoid detection, said Archie Agarwal, founder and CEO of threat modeling vendor ThreatModeler. ESecurity planet.
“Recent research shows that criminals go undetected on networks for an average of 11 days,” Agarwal said. “It should be noted that this is an average taken on advanced and simplistic attacks. This particular group is undoubtedly very sophisticated and probably state-backed and therefore it is not surprising that it goes undetected for long periods of time.
For these bad actors, the main motivation is usually industrial espionage and political advantage, he said, adding that “the sheer sophistication of their operation and their malware framework would only be used at high earning purposes and generally supported at the state level “.
GhostEmperor plays the long game
GhostEmperor’s goal was to target leading organizations and maintain a long-standing and persistent operation, Kaspersky researchers wrote. They noted that the bad actor was able to go undetectable for months, “while showing finesse when it came to developing the malicious toolkit, a deep understanding of the mindset of the actor. ‘an investigator and the ability to counter forensic analysis in various ways. “
Researchers said businesses and government agencies should sleep on rootkits, whose value as an attack method has declined in recent years. The development of Demodex and other recent rootkits shows that they can still be used effectively to help attackers avoid detection.
“As we have seen, the attackers conducted the level of research required to make the Demodex rootkit fully functional on Windows 10, allowing it to load through the documented functionality of a signed and benign third-party driver,” they said. writing. “This suggests that rootkits should always be considered as TTP [tactics, techniques and procedures] during investigations and that advanced threat actors, like the one behind GhostEmperor, are prepared to continue using them in future campaigns.
Inventory and patch
Since the common entry points were public servers with known vulnerabilities, organizations should make sure to take inventories of all public assets as often as possible and ensure they are patched, Agarwal said. by ThreatModeler.
“Threatening actors will conduct intensive reconnaissance in search of these assets and organizations must do the same,” he said.
Best patch management software and tools
Microsoft is making Exchange Server hotfixes less optional
Main vulnerability management tools for 2021