Jump to content
  • GhostEmperor Threat Group Targets New Flaw in Exchange

    aum

    • 1 comment
    • 535 views
    • 2 minutes
     Share


    • 1 comment
    • 535 views
    • 2 minutes

    A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.

     

    About the attack campaign


    GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.

     

    • The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.

     

    • Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers. 

     

    • Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.

     

    How do they operate?


    After gaining access to the targeted systems, the attackers have used a mix of custom and open-source offensive toolsets to gather user credentials and target other systems in the network. 

     

    • The group evades the Windows Driver Signature Enforcement by using an undocumented loading scheme using the kernel-mode component of Cheat Engine (an open-source project).

     

    • GhostEmperor has used obfuscation and anti-analysis tactics to make it challenging for analysts to examine the malware.

     

    Use of post-exploitation tools

     

    • The used tools include common utilities developed by the Sysinternals suite for controlling processes (PsExec, ProcDump, and PsList), along with BITSAdmin, CertUtil, and WinRAR. 

     

    • Furthermore, the attackers used open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat_ssp as well. For internal network reconnaissance/communication they used Powercat/NBTscan.

     

    Conclusion


    The use of anti-forensic techniques and a wide variety of toolsets indicate that the GhostEmperor group possesses sound knowledge of and access to advanced infrastructure to operate. To stay protected, organizations are recommended to implement multi-layered security architecture of reliable anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS). 

     

    Source


    User Feedback

    Recommended Comments



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...