Chinese-Speaking Threat Actor Using Unknown Rootkit in Targeted Attacks

Discussion in 'malware problems & news' started by mood, Jul 30, 2021.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,788
    Chinese-Speaking Threat Actor Using Unknown Rootkit in Targeted Attacks
    Security vendor says it first spotted 'GhostEmperor' when investigating attacks targeting Microsoft Exchange flaws.
    July 29, 2021

    https://www.darkreading.com/attacks...tor-using-unknown-rootkit-in-targeted-attacks
    Kaspersky: GhostEmperor APT targets high-profile victims using unknown rootkit
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    OK so "Windows Driver Signature Enforcement" isn't good enough to block rootkits?
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Good question. Of all the RAW Windows little security preventions this another one of even more importance.
    Never thought I would read or see of anymore rootkits after PatchGuard and x64bit was introduced but then it looks like nothing is really nor can be made 100% foolproof with the current coding. Which is how many years old now?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    This is not the first time these gamer cheat hack tools have been able to access kernel mode code. Assume this cheat engine hack tool allows access to its driver code. The attacker exploit this and used the legit driver to drop his rootkit.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Yes it's a bit tricky, PatchGuard is good, but not good enough. So once a rootkit is installed, it's probably game over. Now that I think about it, would be nice to know which AV's are good at catching already installed rootkits, in other words malicious drivers.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    As long as you have Hyper-visor code integrity; i.e. memory integrity, enabled: https://www.bleepingcomputer.com/ne...g-new-windows-10-kdp-anti-malware-protection/ , rootkits are pretty well nutered. I saw this first hand with a very nasty rootkit I had. Once I was able to enable HVCI, the rootkit activity stopped; at least the nasty part of what it was doing.

    The big thing currently are bootkits that infect the UEFI.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,789
    Location:
    The Netherlands
    Cool, didn't know about this stuff, so at least M$ is finally trying to do something about it. I wish they also came up with a way to block malware from unhooking security tools. Of course I'm then talking about user mode hooks. I believe HMPA added some type of protection against it, but they removed it for now, because it caused certain problems.

    https://blogs.blackberry.com/en/2017/02/universal-unhooking-blinding-security-software
     
  8. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    686
    Location:
    Island of Woman
    @itman if you import HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1

    you get a bsod at startup if you have shadow defender installed, attachaded image, its not mine but its the same

    tweaks to dabble with (you have option to set it "locked", off in this code) if you don't have SD are
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
     

    Attached Files:

  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,400
    Location:
    U.S.A.
    Personally, I wouldn't advise fooling around with these settings since they are set dynamically at boot time in Win 10 based of your existing hardware configuration.
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,788
    Chinese espionage group deploys new rootkit compatible with Windows 10 systems
    September 30, 2021
    https://therecord.media/chinese-esp...w-rootkit-compatible-with-windows-10-systems/
    Technical report: "GhostEmperor’s infection chain and post-exploitation toolset"
    (PDF): https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/30094337/GhostEmperor_technical-details_PDF_eng.pdf
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.