GhostEmperor: From ProxyLogon to Kernel Mode, Story of a Modern Day Rootkit

Mark Lechtik, Aseel Kayal, Paul Rascagnères, Vasiliy Berdnikov

Kaspersky

Abstract:

With the public disclosure of the ProxyLogon vulnerability earlier this year, multiple attackers got a unique opportunity to gain foothold on unpatched Exchange servers in the wild. This led to a surge of attacks on behalf APT groups against formerly uncharted organizational territories, all the while granting us a unique insight on the activity of some advanced and lesser known threat actors.

One such unique cluster of activity stood out, particularly for its usage of a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework. The former has shown to be effective against the latest Windows 10 systems, leveraging a novel method of bypassing Driver Signature Enforcement mechanisms. In turn, the actor was capable of operating with a low signature, maintaining a considerable degree of stealth and thwarting the process of forensic investigation.

Dubbed GhostEmperor, the observed actor has proven to represent a cluster of more capable and advanced culprits operating under the Chinese-speaking nexus of cyber espionage. In this talk, we will describe the actor’s profile, dissect its infection chain, advanced tools and techniques to remain under the radar, while noting its operational goals and set of affected high profile targets.