There has been the discovery of a new Chinese-speaking threat actor who targets Microsoft Exchange vulnerabilities. GhostEmperor was an organization that targeted high-profile targets. A toolset is being used by this Chinese APT group, and it has no resemblances or ties to any recognized threat organizations.

“GhostEmperor” is primarily targeting Southeast Asian government and telecom institutions, according to Kaspersky’s APT Trends Q2 2021 report.

  • In order to acquire remote control over targeted systems, the gang employs a previously undisclosed Windows kernel-mode rootkit.
  • Threat group is employing a loading technique that incorporates a component of an open-source project known as Cheat Engine to bypass Windows Driver Signature Enforcement service
  • Because it has been active since at least July 2020, its sophisticated toolkit is unlike any other known threat actor’s toolkit.
  • A complex multi-stage malware architecture is also used by attackers to gain remote control over the targeted machines, according to the experts consulted.

Kaspersky researchers have revealed several additional ongoing patterns in the APT environment for Q2 in addition to the considerable increase in targeted assaults against Microsoft Exchange servers.

Also read,

Raccoon stealer-as-service : the new target is cryptocurrency
  • Groups of APT hackers are exploiting exploits, such as zero-day vulnerabilities developed by Moses, Pulse Secure assaults, PuzzleMaker flaws, and Exchange server vulnerabilities, to obtain early access to networks.
  • Several APT organizations are upgrading their toolsets, including WildPressure’s macOS-compatible Python malware, as well as launching low-tech assaults, such as CoughingDown, BountyGlad, and Codecov-targeted attacks.

This Chinese APT group and other APT groups are targeting government institutions and commercial companies have been uncovered in recent years. It shows how hackers use weaknesses in order to target new victims. For corporate goods like Microsoft Exchange servers, the deployment of unknown and sophisticated rootkits, like in this case, offers a larger risk than in other cases.