Security Market Segment LS
Friday, 01 October 2021 08:11

Researchers reveal details of actor targeting S-E Asian countries Featured

Researchers reveal details of actor targeting S-E Asian countries Image by S. Hermann & F. Richter from Pixabay

Researchers have published details of what they claim is a Chinese-speaking nation-state actor which has been targeting a number of south-east Asian countries for more than a year, using vulnerabilities in Microsoft Exchange as an entry point. The campaign has been given the name GhostEmperor.

Kaspersky's Mark Lechtik, Aseel Kayal, Paul Rascagneres and Vasily Berdnikov wrote in a long blog post — which also included a separate list of technical details — that the actor used a rootkit which had been adapted to work on Windows 10. The rootkit was given the name Demodex.

This was loaded using the kernel mode component of an open source project known as Cheat Engine in order not to be stopped by the Windows Drive Signature Enforcement that has been put in place by Microsoft as a safety valve.

The research is not totally new as Kaspersky announced some basic details back in July. The fleshed out version was presented at the company's annual Security Analyst Summit which was held this week.

The four researchers said attacks had been observed as far back as July 2020. Among the countries targeted were Vietnam, Malaysia, Thailand and Indonesia.

Also on the attackers' list were organisations in Egypt, Ethiopia and Afghanistan, with some of these targets having strong ties to south-east Asian countries.

"This means that the attackers might have leveraged those infections to spy on the activities in countries that are of geopolitical interest to them," the researchers wrote.

GhostEmperor was found to mainly use hosting services based in Hong Kong and South Korea, such as Daou Technology or Anchent Asia.

The researchers gave as one reason for their attribution the attackers use of open-source tools such as Ladon or Mimikat_ssp that are popular among such actors.

"Additional data points such as version info found within the resource section of second stage loader binaries included a legal trademark field with a Chinese character: ‘Windows庐 is a registered trademark of Microsoft Corporation'," they said.

Additionally, some similarities were noticed between Demodex and the Derusbi toolkit which has also been used by Chinese-speaking actors.

"GhostEmperor is an example of an advanced threat actor that goes after prominent targets and aims to maintain a longstanding and persistent operation within their environments," Lechtik, Kayal, Rascagneres and Berdnikov wrote.

"We observed that the underlying actor managed to remain under the radar for months, all the while demonstrating a finesse when it came to developing the malicious toolkit, a profound understanding of an investigator’s mindset and the ability to counter forensic analysis in various ways."

Read 1264 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News