Security News > 2021 > September > GhostEmperor hackers use new Windows 10 rootkit in attacks

GhostEmperor hackers use new Windows 10 rootkit in attacks
2021-09-30 17:34

Chinese-speaking cyberspies have targeted Southeast Asian governmental entities and telecommunication companies for more than a year, backdooring systems running the latest Windows 10 versions with a newly discovered rootkit.

The hacking group, dubbed GhostEmperor by Kaspersky researchers who spotted it, use the Demodex rootkit, which acts as a backdoor to maintain persistence on compromised servers.

"To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named 'Cheat Engine',"Kaspersky said in July when it released the first details regarding this threat actor.

GhostEmperor also uses a "Sophisticated multi-stage malware framework" that allows the attackers with remote control capabilities over breached devices to provide remote control over the attacked servers.

"The attackers conducted the required level of research to make the Demodex rootkit fully functional on Windows 10, allowing it to load through documented features of a third-party signed and benign driver."

Further technical details regarding GhostEmperor's tactics and the Demodex rootkit can be found in Kaspersky's deep dive and report.


News URL

https://www.bleepingcomputer.com/news/security/ghostemperor-hackers-use-new-windows-10-rootkit-in-attacks/