Reemergence of GhostEmperor with New EDR Evasion Techniques

Operations of a China-affiliated threat group, GhostEmperor, in late 2023 were uncovered by Sygnia’s Incident Response team. The group's reemergence follows a two-year hiatus, after initially being recognized by Kaspersky researchers in 2021 for executing supply-chain attacks. GhostEmperor has primarily targeted government and telecommunication entities in Southeast Asia. The investigation revealed that GhostEmperor utilized a variant of the Demodex rootkit, employing multi-stage malware and various obfuscation techniques to evade detection. The use of an EDR evasion technique was particularly noted in Sygnia's analysis.

According to Sygnia's malware researcher, Dor Nizar, the attack began with the use of Impacket’s WMIExec tool to execute a batch file on compromised machines, saving output logs to a local SMB path. The batch file initiated the infection by dropping a CAB file named "1.cab" into the C:\Windows\Web directory. Using the native Windows binary "expand.exe," the contents of the CAB file, including a service DLL (prints1m.dll), an encrypted PowerShell script (Service.ps1), and registry dump files (config.REG and AesedMemoryBinX64.REG), were extracted. The batch file then imported these registry files to set encrypted values, facilitating subsequent stages of the attack.

The decrypted PowerShell script executed by the batch file created a new service named "WdiSystem," loading the malicious prints1m.dll file. This service DLL, acting as a core component, dynamically loaded necessary functions and decrypted configuration data to proceed with the attack. For added persistence, the service DLL (prints1m.dll) sets a "ServiceDll" registry key with the DLL’s path as the value, located in HKLM:\SYSTEM\CurrentControlSet\Services\WdiSystem\Parameters.

To evade Endpoint Detection and Response (EDR) solutions, Nizar explains their analysis found "that the threat actor added an evasion technique to the Service DLL by setting a specific mitigation policy to the process," adding "the threat actor set up a particular mitigation named “ProcessSignaturePolicy” which forbids loading DLLs that are not signed by Microsoft to the process. This means that any security solution trying to inject a DLL not signed by Microsoft will fail to do so. This technique helps circumvent analysis tools by limiting user-mode hooking." These evasion tactics hinder the ability of standard security measures to detect and respond to their malicious actions.

The Core-Implant, a critical component of GhostEmperor's malware arsenal, handles Command and Control (C2) communication and installs the Demodex kernel rootkit. To bypass the Driver Signature Enforcement (DSE) security feature, which blocks unsigned drivers, GhostEmperor leveraged "Cheat Engine," an open-source tool for video game cheating. They utilized its signed driver, "dbk64.sys," to manipulate memory and execute code in kernel space. This driver was used to map and execute a shellcode in kernel space, patching the IOCTL Dispatcher of the dbk64.sys driver to load the Demodex driver. Analysis of the Core-Implant’s metadata shows that the threat actor modified the compilation and export-table timestamp to obfuscate its actual creation date, enhancing its resistance to detection and analysis