GhostEmperor Threat Group Targets New Flaw in Exchange


GhostEmperor Threat Group Targets New Flaw in Exchange

A detailed report has been released by Kaspersky providing information about the new activity linked to GhostEmperor. The threat actor has been recently discovered using a new rootkit and exploiting Exchange vulnerabilities. It has been mostly targeting government and telecom entities in Southeast Asia.

About the attack campaign

GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.

  • The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
  • Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers. 
  • Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.

Read more…