Thursday, July 25, 2024

Chinese Hackers Attack & Spy Windows Users Using Rootkits

GhostEmperor, a new Chinese cyber-espionage group, that is continuously attacking large organizations using Windows in Southeast Asia since at least July 2020. GhostEmperor attacked several government agencies and telecommunications companies in the following countries:-

  • Malaysia
  • Thailand
  • Vietnam
  • Indonesia
  • Egypt
  • Afghanistan
  • Ethiopia

This Chinese cyber-attack group is new in this attacking field, and it utilizes very complicated tools, not only this but the threat actors of this group are mainly focused on gaining and sustaining long-term network access to accomplish its goals.

How were the victims infected initially?

The security researchers of Kaspersky Lab have initiated their investigation and during their investigation, they distinguished multiple attack vectors that triggered an epidemic chain which leads to the performance of malware in memory. 

Apart from all this, the threat actors have mostly abused vulnerabilities in the web applications that are generally running on those systems, enabling them to withdraw and perform their files. 

Moreover, the GhostEmperor infections have also hit an Exchange server that took place on March 4, 2021.  

Functionality Demodex rootkit

Demodex is loaded as a rootkit, and it generally serves the determination of covering various artifacts of the malware’s service. To access the rootkit’s functionality, the malware has to get a handle to the similar device object, and soon after the following IOCTLs will be available for further use, that we have mentioned below:-

  • 0x220204
  • 0x220224
  • 0x220300
  • 0x220304
  • 0x220308
  • 0x22030C

Rootkit loading analysis

However, the threat actors have exploited vulnerabilities that are present in signed drivers to enable the execution of unsigned code to kernel space. This method was limited by Microsoft with the initiation of Kernel Patch Protection.

Apart from this the method used by the developer of this rootkit enables loading an unsigned driver outwardly adjusting the Code Integrity image and dealing with a potential crash. 

It also exploits features of a legitimate and open-source2 signed driver identified as dbk64.sys which is transmitted along with Cheat Engine. 

Obfuscation and anti-analysis techniques

There are two common analysis tools, and here they are mentioned below:- 

  • WinDbg
  • Volatility

However, Demodex is loaded, that’s why its driver is not properly secured in WinDbg along with other system modules that are stored in a documented way.

So, the threat actors have made a voluntary choice to eliminate all PE headers from memory-loaded images in the third stage of the malware as well as the rootkit’s driver.

GhostEmperor focus on high-profile targets

The whole attack indicates that the underlying actor achieved to remain under the detector for months. But, the threat actors have conveyed the required level of research to make the Demodex rootkit fully functional on Windows 10.

Well doing this will allow it to load via documented features of a third-party signed and benign driver, as the threat actors of the GhostEmperor have been using strong and sophisticated tools.

Network infrastructure

GhostEmperor has used hosting services based in Hong Kong and South Korea, like Daou Technology or Anchent Asia Limited. And here they are mentioned below:-

  • newlylab[.]com
  • reclubpress[.]com
  • webdignusdata[.]com
  • freedecrease[.]com
  • aftercould[.]com
  • datacentreonline[.]com
  • newfreepre[.]com

And here are the IP addresses used by the threat actors:-

  • 223.135[.]214
  • 148.165[.]158
  • 102.114[.]55
  • 102.113[.]57
  • 102.113[.]240

While GhostEmperor might be a new Chinese cyber-attack group but it has come up with the most sophisticated tools, that made its attack more complicated. Not only this but the group has also used some clever hacker tricks that are repackaging data into fake multimedia formats. 

However, using this trick will help the threat actors a lot, and the traffic of the GhostEmperor malware is normally concealed as RIFF, JPEG, or PNG files that are hard to recognize.

Indicators of compromise

Stage 1 – PowerShell Dropper

012862165EC105A44FEA14FACE53492F – u_ex200822.ps1

Stage 2 – Service DLL

6A44FDD66AB841C33949620666CA847A – RAudioUniConfig.dll

1BC301AA9B861F762CE5F376228E992A – svchosts.exe

Stage 4

0BBFBA106FBB9E310330DC87C32CB6D1 – Payload DLL
6685323C61D8EDB4A6E35796AF34D626 – Remote Desktop Control DLL


BE38D173E4E9118BDC2E83FD5F90BE3B – kekeo.exe
F078AC9B012C503D35254AF9629D3B67 – debugall.vbs




Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles