Chinese-Speaking Threat Actor Using Unknown Rootkit in Targeted Attacks Security vendor says it first spotted 'GhostEmperor' when investigating attacks targeting Microsoft Exchange flaws. July 29, 2021 https://www.darkreading.com/attacks...tor-using-unknown-rootkit-in-targeted-attacks Kaspersky: GhostEmperor APT targets high-profile victims using unknown rootkit
Good question. Of all the RAW Windows little security preventions this another one of even more importance. Never thought I would read or see of anymore rootkits after PatchGuard and x64bit was introduced but then it looks like nothing is really nor can be made 100% foolproof with the current coding. Which is how many years old now?
This is not the first time these gamer cheat hack tools have been able to access kernel mode code. Assume this cheat engine hack tool allows access to its driver code. The attacker exploit this and used the legit driver to drop his rootkit.
Yes it's a bit tricky, PatchGuard is good, but not good enough. So once a rootkit is installed, it's probably game over. Now that I think about it, would be nice to know which AV's are good at catching already installed rootkits, in other words malicious drivers.
As long as you have Hyper-visor code integrity; i.e. memory integrity, enabled: https://www.bleepingcomputer.com/ne...g-new-windows-10-kdp-anti-malware-protection/ , rootkits are pretty well nutered. I saw this first hand with a very nasty rootkit I had. Once I was able to enable HVCI, the rootkit activity stopped; at least the nasty part of what it was doing. The big thing currently are bootkits that infect the UEFI.
Cool, didn't know about this stuff, so at least M$ is finally trying to do something about it. I wish they also came up with a way to block malware from unhooking security tools. Of course I'm then talking about user mode hooks. I believe HMPA added some type of protection against it, but they removed it for now, because it caused certain problems. https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software
@itman if you import HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 you get a bsod at startup if you have shadow defender installed, attachaded image, its not mine but its the same tweaks to dabble with (you have option to set it "locked", off in this code) if you don't have SD are Spoiler reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
Personally, I wouldn't advise fooling around with these settings since they are set dynamically at boot time in Win 10 based of your existing hardware configuration.
Chinese espionage group deploys new rootkit compatible with Windows 10 systems September 30, 2021 https://therecord.media/chinese-esp...w-rootkit-compatible-with-windows-10-systems/ Technical report: "GhostEmperor’s infection chain and post-exploitation toolset" (PDF): https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf
