Security Experts:

New Chinese Threat Group 'GhostEmperor' Targets Governments, Telecom Firms

A previously undocumented Chinese-speaking threat actor is targeting Microsoft Exchange vulnerabilities in an attempt to compromise high-profile victims, Kaspersky reveals.

Tracked as GhostEmperor, the long-running operation focuses on targets in Southeast Asia and uses a formerly unknown Windows kernel-mode rootkit.

GhostEmperor, Kaspersky explains, employs a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism and deploy its rootkit.

During their investigation into the activity, Kaspersky’s security researchers also discovered the use of “a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.”

According to Kaspersky, the toolset emerged as early as July 2020, with the threat actor targeting various entities in Southeast Asia, including governmental organizations and telecom companies.

Kaspersky identified the GhostEmperor cluster of activity while investigating various campaigns targeting Exchange servers.

This year, numerous threat actors targeted a series of Exchange vulnerabilities that Microsoft publicly disclosed in March, with most of the attacks attributed to Chinese adversaries.

The United States and its allies last week officially accused China of these attacks.

According to Kaspersky, however, GhostEmperor is a completely novel adversary, showing no similarities to known threat actors.

“GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” David Emm, security expert at Kaspersky, said.

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns

Related: Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws

view counter