A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.
About the attack campaign
GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.
- The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
- Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers.
- Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.