Security researchers at Kaspersky discovered a previously undocumented cyberespionage campaign that uses vulnerabilities in Microsoft Exchange email software in attacks targeting high-profile victims in Southeast Asia, including government entities and telecom companies.
Dubbed GhostEmperor, the Chinese-speaking threat actor has been observed using a never-before-seen Windows kernel-mode rootkit that provides remote access to target servers.
GhostEmperor leverages a loading scheme involving a component of an open-source project named “Cheat Engine,” which allows them to bypass the Windows Driver Signature Enforcement mechanism. This advanced toolset, which has been in use since at least July 200, is unique, Kaspersky says, and bears no similarity to already known threat actors.
“As detection and protection techniques evolve, so do APT actors,” said David Emm, security expert at Kaspersky. “They typically refresh and update their toolsets. GhostEmperor is a clear example of how cybercriminals look for new techniques to use and new vulnerabilities to exploit. Using a previously unknown, sophisticated rootkit, they brought new problems to the already well-established trend of attacks against Microsoft Exchange servers.”