Threat Research

Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia

Securonix

Sygnia’s incident response details GhostEmperor’s use of a Demodex rootkit variant to penetrate networks, establish persistence, and communicate with C2 servers through a multi-stage infection chain that includes WMI-based execution and reflective loading. The report highlights EDR/defense evasion techniques, use of LOLBins and kernel-level loading via Cheat Engine, and a revised infection chain with new file names and registry keys. Hashtags: #GhostEmperor #DemodexRootkit #Sygnia #CoreImplant #WMIExec #ProxyLogon

Keypoints

  • The GhostEmperor threat group is described as a sophisticated China-nexus actor targeting telecoms and government entities, utilizing multi-stage malware for stealth and persistence.
  • Sygnia observed a new GhostEmperor infection chain variant that includes an EDR evasion technique and a reflective loader to execute the Core-Implant, with different file names and registry keys.
  • Initial access often involves exploiting vulnerabilities such as ProxyLogon, followed by a batch-file infection chain to begin payload deployment.
  • The infection starts with WMIExec to run a batch script, which writes logs and launches subsequent stages.
  • LOLBins like reg.exe and expand.exe are used within the batch file to drop and import payloads while remaining under the radar.
  • The PowerShell stage creates a rogue Windows service (WdiSystem) to load prints1m.dll via a service group (WdiSystemhost), masquerading as a legitimate system process.
  • Core-Implant uses a reflective loader to load a kernel rootkit (Demodex) via Cheat Engine’s signed dbk64.sys driver, bypassing driver-signing enforcement.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – “Usually, once the threat group gains initial access to the victim’s network by using vulnerabilities such as ProxyLogon, a batch file is executed to initiate the infection chain.”
  • [T1047] Windows Management Instrumentation – WMIExec is used to execute commands; “the threat actor used this tool to run a batch file, initiating the infection chain on the victim’s compromised machine.”
  • [T1059.003] Windows Command Shell – Batch is launched via cmd.exe: “cmd.exe /Q /c c:windowsvss1.bat > 127.0.0.1C$WindowsTemp[generated_string] 2>&1”
  • [T1112] Modify Registry – The batch file imports registry files to set two registry keys with encrypted values: “reg.exe import [file]”.
  • [T1059.001] PowerShell – Encrypted PowerShell script is decrypted and executed: “The batch file proceeds and executes an encrypted PowerShell script, passing a decryption key as a parameter. This script contains an encrypted blob, which, once decrypted…”
  • [T1543.003] Windows Service – Creates and uses a malicious Windows service to load the core DLL: “Creates a service by invoking the New-Service PowerShell command …” and “Launches the malicious service within a service group.”
  • [T1055] Process Injection – Service DLL loads into memory and uses LoadLibraryA to resolve functions: “loads the modules it requires using the LoadLibraryA function, and traverses each module’s export table…”
  • [T1620] Reflective DLL Injection – The shellcode acts as a reflective loader to load the core-implant: “shellcode consists of a Position-Independent shellcode functioning as a reflective loader…”
  • [T1562.004] Impair Defenses: Disable or Modify Security Tools – The malware sets a mitigation policy (ProcessSignaturePolicy) to forbid loading non-Microsoft-signed DLLs: “forbid loading DLLs that are not signed by Microsoft to the process.”
  • [T1218] Signed Binary Proxy Execution – LOLBins such as reg.exe and expand.exe are used to avoid suspicion: “The Batch file employs several LOLBins such as reg.exe and expand.exe…”
  • [T1055] Process Injection (additional detail) – The loader maps and relocates the core-implant in memory during reflective loading and PE handling: “Relocation of the code and data sections to match the new base address…”

Indicators of Compromise

  • [File] 1.bat – Batch file used to initiate infection and start payload deployment (e.g., “1.bat” dropped by CAB and executed via cmd).
  • [File] 1.cab – CAB archive dropped to C:WindowsWeb containing initial components.
  • [File] prints1m.dll – Service DLL loaded by the Core-Implant; MD5: 4bb191c6d3a234743ace703d7d518f8f; SHA1: 43f1c44fa14f9ce2c0ba9451de2f7d3dd1a208de
  • [File] service.ps1 – Encrypted PowerShell payload; MD5: 95e3312de43c1da4cc3be8fa47ab9fa4; SHA1: a59cca28205eeb94c331010060f86ad2f3d41882
  • [File] dbk64.sys – Cheat Engine driver used to bypass Driver Signature Enforcement; MD5: d8ebfd26bed0155e7c4ec2ca429c871d; SHA1: bab2ae2788dee2c41065850b2877202e57369f37
  • [Domain] imap.dateupdata[.]com – C2 domain used for command and control.
  • [IP] 193.239.86.168 – C2 IP address.

Read more: https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint