Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms

A previously undocumented Chinese-speaking threat actor is targeting Microsoft Exchange vulnerabilities in an attempt to compromise high-profile victims, Kaspersky reveals.

Tracked as GhostEmperor, the long-running operation focuses on targets in Southeast Asia and uses a formerly unknown Windows kernel-mode rootkit.

A previously undocumented Chinese-speaking threat actor is targeting Microsoft Exchange vulnerabilities in an attempt to compromise high-profile victims, Kaspersky reveals.

Tracked as GhostEmperor, the long-running operation focuses on targets in Southeast Asia and uses a formerly unknown Windows kernel-mode rootkit.

GhostEmperor, Kaspersky explains, employs a loading scheme that relies on a component of the Cheat Engine open-source project, which allows it to bypass the Windows Driver Signature Enforcement mechanism and deploy its rootkit.

During their investigation into the activity, Kaspersky’s security researchers also discovered the use of “a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.”

According to Kaspersky, the toolset emerged as early as July 2020, with the threat actor targeting various entities in Southeast Asia, including governmental organizations and telecom companies.

Kaspersky identified the GhostEmperor cluster of activity while investigating various campaigns targeting Exchange servers.

This year, numerous threat actors targeted a series of Exchange vulnerabilities that Microsoft publicly disclosed in March, with most of the attacks attributed to Chinese adversaries.

The United States and its allies last week officially accused China of these attacks.

According to Kaspersky, however, GhostEmperor is a completely novel adversary, showing no similarities to known threat actors.

“GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers,” David Emm, security expert at Kaspersky, said.

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: China-Linked APT31 Abuses Hacked Routers in Attacks, France Warns

Related: Scans for Vulnerable Exchange Servers Started 5 Minutes After Disclosure of Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.