EXECUTIVE SUMMARY
The recent breach revealed that Chinese hacking group GhostEmperor had resurfaced with even more advanced capabilities and evasion techniques. GhostEmperor’s latest activities were exposed in a comprehensive report which detailed the group’s evolved attack methods. The attackers used the compromised network as a launchpad to infiltrate another victim's systems, marking the first confirmed activity from GhostEmperor. Investigation has indicated that GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The recent breach revealed that Chinese hacking group GhostEmperor had resurfaced with even more advanced capabilities and evasion techniques. GhostEmperor’s latest activities were exposed in a comprehensive report which detailed the group’s evolved attack methods. The attackers used the compromised network as a launchpad to infiltrate another victim's systems, marking the first confirmed activity from GhostEmperor. Investigation has indicated that GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.[emaillocker id="1283"]
Researcher’s analysis of the compromised network revealed significant alterations in GhostEmperor's infection chain and technical methods. The group traditionally gained initial access by exploiting vulnerabilities such as ProxyLogon, executing a batch file to initiate the infection and deploying various tools to communicate with command-and-control (C2) servers. In the recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine. The updated Demodex rootkit variant now includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. GhostEmperor’s multi-stage malware and advanced evasion techniques, including a specific mitigation policy to prevent loading non-Microsoft signed DLLs, demonstrate the group’s enhanced capabilities and commitment to stealth and persistence.
GhostEmperor’s resurgence after a two-year hiatus with advanced capabilities and evasion techniques underscores the persistent and evolving threat posed by state-sponsored actors. Researcher described GhostEmperor as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia. The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools. The recent breach confirms that GhostEmperor continues to enhance its toolset and methodologies, posing a significant threat to targeted organizations. This re-emergence highlights the need for continuous vigilance and advanced cybersecurity measures to detect and mitigate the activities of such sophisticated threat groups. As Chinese threat actors like GhostEmperor, APT40, and Velvet Ant continue to evolve and expand their operations globally, organizations must stay informed and proactive in their cybersecurity strategies to protect their networks and sensitive information.
THREAT PROFILE:
| Tactic | Technique ID | Technique |
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1047 | Windows Management Instrumentation |
| Persistence | T1053 | Scheduled Task/Job |
| T1543 | Create or Modify System Process | |
| T1037 | Boot or Logon Initialization Scripts | |
| Defense Evasion | T1218 | Signed Binary Proxy Execution |
| T1562 | Impair Defenses | |
| T1574 | Hijack Execution Flow | |
| T1055 | Process Injection | |
| T1112 | Modify Registry | |
| T1202 | Indirect Command Execution | |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| T1012 | Query Registry | |
| T1046 | Network Service Discovery | |
| T1057 | Process Discovery | |
| T1124 | System Time Discovery | |
| T1518 | Software Discovery | |
| Lateral Movement | T1021 | Remote Services |
| T1563 | Remote Service Session Hijacking | |
| Collection | T1005 | Data from Local System |
| T1074 | Data Staged | |
| Command and Control | T1071 | Application Layer Protocol |
| T1095 | Non-Application Layer Protocol | |
| T1105 | Ingress Tool Transfer | |
| T1573 | Encrypted Channel | |
| Impact | T1489 | Service Stop |
| T1490 | Inhibit System Recovery |
REFERENCES:
The following reports contain further technical details:
https://www.darkreading.com/threat-intelligence/notorious-chinese-hacker-gang-re-emerges-after-two-years