According to Kaspersky, a previously unknown Chinese-speaking threat actor is targeting Microsoft Exchange vulnerabilities in an attempt to compromise high-profile victims.
The long-running operation known as GhostEmperor concentrates on Southeast Asian targets and employs a previously unknown Windows kernel-mode rootkit.
According to Kaspersky, GhostEmperor uses a loading technique that relies on a component of the Cheat Engine open-source project to get around Windows Driver Signature Enforcement and install its rootkit.
Kaspersky security researchers uncovered the use of “a sophisticated multi-stage malware framework targeted at allowing remote control over the infected machines” during their examination into the activities.
The threat actor targeted various entities in Southeast Asia, including governmental organisations and telecom companies, according to Kaspersky. The toolset first appeared in July 2020, with the threat actor targeting various entities in Southeast Asia, including governmental organisations and telecom companies.
While looking into numerous efforts targeting Exchange servers, Kaspersky discovered the GhostEmperor cluster of activity.
Several threat actors targeted a set of Exchange vulnerabilities that Microsoft publicly reported in March this year, with the majority of the attacks being blamed on Chinese opponents.
Last Monday, the US and its allies publicly accused China of the assaults.
GhostEmperor, on the other hand, is a wholly new adversary, according to Kaspersky, with no resemblance to established threat actors.
“GhostEmperor is a great example of how fraudsters are always looking for new ways to exploit weaknesses and new strategies to deploy. They added additional issues to the already well-established trend of assaults against Microsoft Exchange servers by using a previously unknown, sophisticated rootkit,” said David Emm, a security analyst at Kaspersky.
