Thursday, March 28, 2024

Chinese Hackers Attack & Spy Windows Users Using Rootkits

GhostEmperor, a new Chinese cyber-espionage group, that is continuously attacking large organizations using Windows in Southeast Asia since at least July 2020. GhostEmperor attacked several government agencies and telecommunications companies in the following countries:-

  • Malaysia
  • Thailand
  • Vietnam
  • Indonesia
  • Egypt
  • Afghanistan
  • Ethiopia

This Chinese cyber-attack group is new in this attacking field, and it utilizes very complicated tools, not only this but the threat actors of this group are mainly focused on gaining and sustaining long-term network access to accomplish its goals.

How were the victims infected initially?

The security researchers of Kaspersky Lab have initiated their investigation and during their investigation, they distinguished multiple attack vectors that triggered an epidemic chain which leads to the performance of malware in memory. 

Apart from all this, the threat actors have mostly abused vulnerabilities in the web applications that are generally running on those systems, enabling them to withdraw and perform their files. 

Moreover, the GhostEmperor infections have also hit an Exchange server that took place on March 4, 2021.  

Functionality Demodex rootkit

Demodex is loaded as a rootkit, and it generally serves the determination of covering various artifacts of the malware’s service. To access the rootkit’s functionality, the malware has to get a handle to the similar device object, and soon after the following IOCTLs will be available for further use, that we have mentioned below:-

  • 0x220204
  • 0x220224
  • 0x220300
  • 0x220304
  • 0x220308
  • 0x22030C

Rootkit loading analysis

However, the threat actors have exploited vulnerabilities that are present in signed drivers to enable the execution of unsigned code to kernel space. This method was limited by Microsoft with the initiation of Kernel Patch Protection.

Apart from this the method used by the developer of this rootkit enables loading an unsigned driver outwardly adjusting the Code Integrity image and dealing with a potential crash. 

It also exploits features of a legitimate and open-source2 signed driver identified as dbk64.sys which is transmitted along with Cheat Engine. 

Obfuscation and anti-analysis techniques

There are two common analysis tools, and here they are mentioned below:- 

  • WinDbg
  • Volatility

However, Demodex is loaded, that’s why its driver is not properly secured in WinDbg along with other system modules that are stored in a documented way.

So, the threat actors have made a voluntary choice to eliminate all PE headers from memory-loaded images in the third stage of the malware as well as the rootkit’s driver.

GhostEmperor focus on high-profile targets

The whole attack indicates that the underlying actor achieved to remain under the detector for months. But, the threat actors have conveyed the required level of research to make the Demodex rootkit fully functional on Windows 10.

Well doing this will allow it to load via documented features of a third-party signed and benign driver, as the threat actors of the GhostEmperor have been using strong and sophisticated tools.

Network infrastructure

GhostEmperor has used hosting services based in Hong Kong and South Korea, like Daou Technology or Anchent Asia Limited. And here they are mentioned below:-

  • newlylab[.]com
  • reclubpress[.]com
  • webdignusdata[.]com
  • freedecrease[.]com
  • aftercould[.]com
  • datacentreonline[.]com
  • newfreepre[.]com

And here are the IP addresses used by the threat actors:-

  • 223.135[.]214
  • 148.165[.]158
  • 102.114[.]55
  • 102.113[.]57
  • 102.113[.]240

While GhostEmperor might be a new Chinese cyber-attack group but it has come up with the most sophisticated tools, that made its attack more complicated. Not only this but the group has also used some clever hacker tricks that are repackaging data into fake multimedia formats. 

However, using this trick will help the threat actors a lot, and the traffic of the GhostEmperor malware is normally concealed as RIFF, JPEG, or PNG files that are hard to recognize.

Indicators of compromise

Stage 1 – PowerShell Dropper

012862165EC105A44FEA14FACE53492F – u_ex200822.ps1

Stage 2 – Service DLL

6A44FDD66AB841C33949620666CA847A – RAudioUniConfig.dll
2DD0885F84B890883A396030DB841D28

1BC301AA9B861F762CE5F376228E992A – svchosts.exe

Stage 4

0BBFBA106FBB9E310330DC87C32CB6D1 – Payload DLL
6685323C61D8EDB4A6E35796AF34D626 – Remote Desktop Control DLL

Post-exploitation

BE38D173E4E9118BDC2E83FD5F90BE3B – kekeo.exe
F078AC9B012C503D35254AF9629D3B67 – debugall.vbs

Driver

7394229455151a9cd036383027a1536b

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles