The Return of Ghost Emperor’s Demodex
Aug. 8, 2024, 11:38 a.m.
Tags
External References
Description
This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.
Date
Published: Aug. 8, 2024, 11:12 a.m.
Created: Aug. 8, 2024, 11:12 a.m.
Modified: Aug. 8, 2024, 11:38 a.m.
Indicators
f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8
193.239.86.168
imap.dateupdata.com
Attack Patterns
Demodex
GhostEmperor
T1578
T1197
T1497
T1547
T1218
T1129
T1105
T1570
T1543
T1132
T1112
T1003
T1059
CVE-2024-20399