GhostEmperor is a threat group first discovered and described by Kaspersky in 2021. It has not been recognized since.
In a late 2023 compromise investigation, Sygnia discovered what it believes to be a variant of the GhostEmperor infection chain leading to the Demodex rootkit – which was first seen and described by Kaspersky in 2021.
Kaspersky had discovered a cluster of activity employing this rootkit and decided to name the cluster GhostEmperor. Kaspersky made several observations about the actor: ‘highly skilled and accomplished’ with an emphasis on stealth; mostly targeting Southeast Asian telco and government entities; no known affiliations with any other actors; and Chinese speaking. However, there has been no public reporting on possible further GhostEmperor activity since then.
Sygnia’s association of this 2023 compromise to GhostEmperor is largely based on the similarity of the infection chain, the heavy use of stealth techniques, and the same Demodex rootkit. Differences include some alterations in the infection chain and a slightly different C++ DLL variant.
In the new compromise, Sygnia reports that post compromise, WMIExec is used to run a batch file to initiate the infection chain. It drops an encrypted CAB file and edits the registry for persistence. Throughout the infection chain, the actor makes heavy use of legitimate Windows tools to increase stealth – just as Kaspersky’s GhostEmperor did in 2021. And as with the earlier case, the final installation of the Demodex kernel rootkit leverages the ‘Cheat Engine’ open source tool originally developed for video game cheating.
The fundamentals of this compromise are similar to the original GhostEmperor, but nevertheless with enough differences to make Sygnia suggest it likely, but nor certainly, represents the return of GhostEmperor. “Our attribution is mainly based on similarities in the infection chain as well as the utilization of the exact same rootkit that was attributed to GhostEmperor,” Amir Sadon, director of research at Sygnia, told SecurityWeek. “As we have not identified additional unique tools during this investigation, we cannot be certain that this is the very same threat actor, highlighted in 2021. There is the possibility that another threat actor decided to re-use the same rootkit in a different way – but we can neither support nor contradict that.”
The puzzle comes from the time gap between Kaspersky’s report and the new Sygnia report, and the absence of other sightings. It is known that GhostEmperor is an accomplished threat actor with a strong emphasis on stealth, yet it is unlikely that it has been active but completely undetected. Certainly, the current compromise is relatively new. “Based on our investigation we can conclude that the initial foothold of this actor within this victim’s network was a few months before our engagement,” continued Sadon. “We have seen evidence of the initiation of the new infection chain in this time frame. We, however, do not know what Ghost Emperor has been up to since Kaspersky’s report in 2021.”
Whether this indicates the return of GhostEmperor or the emergence of a new actor sufficiently competent to fill GhostEmperor’s shoes is not clear – but whoever the actor is, it is an additional APT threat coming out of China. Sygnia notes that the primary purpose of this attack was most likely to gain access to the victim’s business partners – that is, to prepare supply chain attacks.
“We are inviting the security community to share intelligence to understand what has changed and what is the result of this time gap,” said Sadon,” whether it is due to a lack of activity from GhostEmperor, or our lack of visibility into GhostEmperor activities.”
Related: Microsoft Revokes Many Signed Drivers Used by Chinese Cybercriminals
Related: Chinese-Backed APT ‘Flax Typhoon’ Hacks Taiwan With Minimal Malware Footprint
Related: Extensive ‘Living Off the Land’ Hides Stealthy Malware Campaign
Related: Mandiant Highlights Russian and Chinese Cyber Threats to NATO on Eve of 75th Anniversary Summit
