Notorious Chinese Hacker Gang GhostEmperor Re-Emerges After 2 Years

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

Infection Chain, Evasion Techniques

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

GhostEmperor Left a Global Trail

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

Chinese Threat Actors Multiply 

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.