Chinese Hackers Attack & Spy Windows Users Using Rootkits

GhostEmperor, a new Chinese cyber-espionage group, that is continuously attacking large organizations using Windows in Southeast Asia since at least July 2020. GhostEmperor attacked several government agencies and telecommunications companies in the following countries:-

• Malaysia
• Thailand
• Vietnam
• Indonesia
• Egypt
• Afghanistan
• Ethiopia

This Chinese cyber-attack group is new in this attacking field, and it utilizes very complicated tools, not only this but the threat actors of this group are mainly focused on gaining and sustaining long-term network access to accomplish its goals.

How were the victims infected initially?

The security researchers of Kaspersky Lab have initiated their investigation and during their investigation, they distinguished multiple attack vectors that triggered an epidemic chain which leads to the performance of malware in memory. 

Apart from all this, the threat actors have mostly abused vulnerabilities in the web applications that are generally running on those systems, enabling them to withdraw and perform their files. 

Moreover, the GhostEmperor infections have also hit an Exchange server that took place on March 4, 2021.  

Functionality Demodex rootkit

Demodex is loaded as a rootkit, and it generally serves the determination of covering various artifacts of the malware’s service. To access the rootkit’s functionality, the malware has to get a handle to the similar device object, and soon after the following IOCTLs will be available for further use, that we have mentioned below:-

• 0x220204
• 0x220224
• 0x220300
• 0x220304
• 0x220308
• 0x22030C

Rootkit loading analysis

However, the threat actors have exploited vulnerabilities that are present in signed drivers to enable the execution of unsigned code to kernel space. This method was limited by Microsoft with the initiation of Kernel Patch Protection.

Apart from this the method used by the developer of this rootkit enables loading an unsigned driver outwardly adjusting the Code Integrity image and dealing with a potential crash. 

It also exploits features of a legitimate and open-source2 signed driver identified as dbk64.sys which is transmitted along with Cheat Engine. 

Obfuscation and anti-analysis techniques

There are two common analysis tools, and here they are mentioned below:- 

• WinDbg
• Volatility

However, Demodex is loaded, that’s why its driver is not properly secured in WinDbg along with other system modules that are stored in a documented way.

So, the threat actors have made a voluntary choice to eliminate all PE headers from memory-loaded images in the third stage of the malware as well as the rootkit’s driver.

GhostEmperor focus on high-profile targets

The whole attack indicates that the underlying actor achieved to remain under the detector for months. But, the threat actors have conveyed the required level of research to make the Demodex rootkit fully functional on Windows 10.

Well doing this will allow it to load via documented features of a third-party signed and benign driver, as the threat actors of the GhostEmperor have been using strong and sophisticated tools.

Network infrastructure

GhostEmperor has used hosting services based in Hong Kong and South Korea, like Daou Technology or Anchent Asia Limited. And here they are mentioned below:-

• newlylab[.]com
• reclubpress[.]com
• webdignusdata[.]com
• freedecrease[.]com
• aftercould[.]com
• datacentreonline[.]com
• newfreepre[.]com

And here are the IP addresses used by the threat actors:-

• 223.135[.]214
• 148.165[.]158
• 102.114[.]55
• 102.113[.]57
• 102.113[.]240

While GhostEmperor might be a new Chinese cyber-attack group but it has come up with the most sophisticated tools, that made its attack more complicated. Not only this but the group has also used some clever hacker tricks that are repackaging data into fake multimedia formats. 

However, using this trick will help the threat actors a lot, and the traffic of the GhostEmperor malware is normally concealed as RIFF, JPEG, or PNG files that are hard to recognize.

Indicators of compromise

Stage 1 – PowerShell Dropper

012862165EC105A44FEA14FACE53492F – u_ex200822.ps1

Stage 2 – Service DLL

6A44FDD66AB841C33949620666CA847A – RAudioUniConfig.dll
2DD0885F84B890883A396030DB841D28

1BC301AA9B861F762CE5F376228E992A – svchosts.exe

Stage 4

0BBFBA106FBB9E310330DC87C32CB6D1 – Payload DLL
6685323C61D8EDB4A6E35796AF34D626 – Remote Desktop Control DLL

Post-exploitation

BE38D173E4E9118BDC2E83FD5F90BE3B – kekeo.exe
F078AC9B012C503D35254AF9629D3B67 – debugall.vbs

Driver

7394229455151a9cd036383027a1536b