An unknown anonymous Chinese speaking hacker has been associated with a long term evasive campaign targeted towards South East Asian victims, the campaign dates back to July 2020, deploying a kernel-mode rootkit on breached Windows devices. Attacks carried out by the group (Hackers) is termed GhostEmperor by Kaspersky cybersecurity, the group is said to have deployed a "sophisticated multi-stage malware framework" which enables persistence help and remote control over the victim host.
Kaspersky has termed the rootkit as Demodex, findings indicate infections has been spread out throughout various high-profile organizations in Malaysia, Vietnam, Indonesia, and Thailand, besides this Egypt, Afghanistan and Ethiopia outliers are also in the list. Threat actors use Demodex toolkit to cover up malware artefacts (user mode) from experts and cybersecurity agencies, meanwhile showing a surprisingly good undocumented loading program which involves kernel mode component of an open source project called Cheat Engine to evade Windows Driver Signature Enforcement feature.
Experts have observed that GhostEmperor infections leverage multiple access paths that end in the deployment of malware in memory, exploiting known vulnerabilities in open source servers like Apache, Oracle, Microsoft Exchange and Windows IIS, which includes ProxyLogon exploits that surfaced in March 2021. The purpose was to have an upper hand and then move out to other parts of target's network, including machines that run on earlier versions of Windows 10 OS.
Aftern a successful breach, the selected infection chains which deployed toolkits were carried out remotely via different system in the same network using genuine software like PsExec or WMI, resulting in the execution of implant (in-memory) that could install additional payloads during run time. The Hacker News reports "disclosure comes as a China-linked threat actor codenamed TAG-28 has been discovered as being behind intrusions against Indian media and government agencies such as The Times Group, the Unique Identification Authority of India (UIDAI), and the police department of the state of Madhya Pradesh."
