Ghost Emperor, a notorious China-linked hacking group, has made a reappearance with an updated version of its sophisticated Demodex rootkit, as reported by cybersecurity researchers. This group is known for targeting Southeast Asian telecom and government entities and has now incorporated new techniques to enhance its malware arsenal and evade detection.
The latest version of the Demodex infection chain utilized by Ghost Emperor involves multiple stages of malware to ensure stealth execution and persistence while hindering the analysis process. Researchers from Sygnia revealed that the attack begins with the use of WMIExec, a remote execution tool, to run a batch file on the victim’s machine. This batch file drops a CAB file named “1.cab” to C:\Windows\Web, extracts four files, and imports two malicious registry files using legitimate Microsoft tools such as reg.exe and expand.exe.
Once the registry keys are imported, the batch file executes an encrypted PowerShell script to create a new service named “WdiSystem” that loads a malicious Service DLL file. This script also creates a service group named “WdiSystemhost” to disguise the malware process as a legitimate Windows system process within the operating system. The Service DLL dynamically loads necessary functions, accesses the LoadLibraryA function, and deciphers an encrypted configuration containing operational parameters.
The incident response team at Sygnia discovered this new variant of the Ghost Emperor malware while investigating a network breach that affected a client and its business partner. The malware, compiled in July 2021, exhibits similarities with a previously analyzed version by Kaspersky in 2021 but includes significant changes to its tactics.
In addition to the updated infection chain, Ghost Emperor has implemented enhanced evasion techniques to avoid detection. One such technique involves setting a specific mitigation policy to its processes that prohibits the loading of DLLs not signed by Microsoft, thereby limiting user-mode hooking and circumventing analysis tools. The malware also reads encrypted registry keys, decrypts the shellcode, and utilizes a reflective loader to execute the core-implant DLL.
The researchers identified several new methods employed by Ghost Emperor to evade detection, including EDR evasion, dynamic function loading, encrypted configuration storage, and reflective loading. These techniques make it more challenging for security professionals to analyze and combat the malware effectively.
The Ghost Emperor threat actor group is just one of many Chinese-linked APTs that are demonstrating advanced techniques and evolving capabilities in their cyber operations. This trend has raised concerns among governments, independent researchers, and security firms about the growing threats originating from the region.
Overall, the resurgence of Ghost Emperor with an updated Demodex rootkit highlights the need for continuous vigilance and innovation in cybersecurity to stay ahead of sophisticated threat actors like this China-linked hacking group.