Security News > 2021 > September > GhostEmperor hackers use new Windows 10 rootkit in attacks
Chinese-speaking cyberspies have targeted Southeast Asian governmental entities and telecommunication companies for more than a year, backdooring systems running the latest Windows 10 versions with a newly discovered rootkit.
The hacking group, dubbed GhostEmperor by Kaspersky researchers who spotted it, use the Demodex rootkit, which acts as a backdoor to maintain persistence on compromised servers.
"To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named 'Cheat Engine',"Kaspersky said in July when it released the first details regarding this threat actor.
GhostEmperor also uses a "Sophisticated multi-stage malware framework" that allows the attackers with remote control capabilities over breached devices to provide remote control over the attacked servers.
"The attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver."
Further technical details regarding GhostEmperor's tactics and the Demodex rootkit can be found in Kaspersky's deep dive and report.
News URL
Related news
- Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks (source)
- Hackers steal Windows NTLM authentication hashes in phishing attacks (source)
- Russian APT28 Hackers Targeting High-Value Orgs with NTLM Relay Attacks (source)
- Hackers steal data of 2 million in SQL injection, XSS attacks (source)
- Windows 10 KB5034763 update released with new fixes, changes (source)
- Hackers used new Windows Defender zero-day to drop DarkMe malware (source)
- Microsoft, OpenAI Warn of Nation-State Hackers Weaponizing AI for Cyber Attacks (source)
- Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks (source)
- North Korean hackers linked to defense sector supply-chain attack (source)
- Iran and Hezbollah Hackers Launch Attacks to Influence Israel-Hamas Narrative (source)