GhostEmperor hackers use new Windows 10 rootkit in attacks

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/ghostemperor-hackers-use-new-windows-10-rootkit-in-attacks/

Chinese-speaking cyberspies have targeted Southeast Asian governmental entities and telecommunication companies for more than a year, backdooring systems running the latest Windows 10 versions with a newly discovered rootkit.

The hacking group, dubbed GhostEmperor by Kaspersky researchers who spotted it, use the Demodex rootkit, which acts as a backdoor to maintain persistence on compromised servers.

 

[Andy Ful]

This malware does not use a typical technique of exploiting vulnerable legal drivers. Instead, it abuses the functionality of a signed driver shipped along with legal Cheat Engine:

It abuses features of a legitimate and open-source2 signed driver named dbk64.sys which is shipped along with Cheat Engine, an application created to bypass video game protections and introduce cheats into them. This driver provides capability to write and execute code in kernel space by design, thus allowing it to run arbitrary code in kernel mode.

GhostEmperor: From ProxyLogon to kernel mode

With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the threat GhostEmperor.

securelist.com