Cyber Threat Report: 'GhostEmperor: From ProxyLogon to kernel mode'

Public APT reporting from Kaspersky which outlines the GhostEmperor threat actor, including details of victimology and tooling. GhostEmperor is a sophisticated threat actor that has been targeting Exchange servers, primarily in Southeast Asia, since at least July 2020. The group is notable for its use of a previously unknown Windows kernel mode rootkit, which the researchers dubbed Demodex, and a complex multi-stage malware framework designed to provide remote control over compromised servers. The rootkit is particularly effective at hiding user mode malware artifacts from investigators and security solutions, utilizing an undocumented loading scheme involving the kernel mode component of an open-source project called Cheat Engine to bypass Windows Driver Signature Enforcement. GhostEmperor's operations have targeted various high-profile entities, including government and telecommunication organizations in countries such as Malaysia, Thailand, Vietnam, Indonesia, Egypt, Afghanistan, and Ethiopia. Key findings from Kaspersky's investigation reveal that GhostEmperor employs multiple attack vectors to initiate its infection chain, often exploiting vulnerabilities in web applications running on public-facing servers. The infection process involves several stages, starting with a PowerShell dropper and culminating in the deployment of an in-memory implant that communicates with a command-and-control (C2) server. The attackers use a mix of legitimate and open-source tools for post-exploitation activities, including credential harvesting and lateral movement within the network. The group also demonstrated advanced anti-forensic and anti-analysis techniques, such as obfuscation and the use of fake file format headers. This shows a high level of sophistication and a deep understanding of forensic investigation methods. A separate report provides additional technical details.