The Return of Ghost Emperor’s Demodex

Aug. 8, 2024, 11:38 a.m.

Description

This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.

External References

https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit
https://otx.alienvault.com/pulse/66b4a8094b782626504a1a8f
Tags
rootkit
2024-08-08
demodex
ghost emperor

Date

  • Created: Aug. 8, 2024, 11:12 a.m.
  • Published: Aug. 8, 2024, 11:12 a.m.
  • Modified: Aug. 8, 2024, 11:38 a.m.

Indicators

  • f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8
  • 193.239.86.168
  • imap.dateupdata.com
Download all indicators here!

Attack Patterns

  • Demodex
  • GhostEmperor

Linked vulnerabilities

CVE-2024-20399

None
Published: