The Return of Ghost Emperor’s Demodex

Aug. 8, 2024, 11:38 a.m.

Tags
rootkit
2024-08-08
demodex
ghost emperor
External References
Description

This document examines a recent infection chain utilized by the sophisticated China-nexus threat group GhostEmperor. It delves into the multi-stage loading process of the Demodex rootkit, which incorporates several obfuscation techniques and loading schemes. The analysis covers various components, including a batch file, PowerShell script, and malicious service DLL, which ultimately loads a reflective loader and the core implant. The core implant handles command-and-control communication and installs the Demodex kernel rootkit, leveraging Cheat Engine's signed driver to bypass driver signature enforcement.

Date

Published: Aug. 8, 2024, 11:12 a.m.

Created: Aug. 8, 2024, 11:12 a.m.

Modified: Aug. 8, 2024, 11:38 a.m.

Indicators

f81a2e8a2a272e0bdae4e267fa220d6d40e23214087f33bdcdab6c7ad10b60b8

193.239.86.168

Download all indicators here!

Attack Patterns

Demodex

GhostEmperor

T1578

T1197

T1497

T1547

T1218

T1129

T1105

T1570

T1543

T1132

T1112

T1003

T1059

CVE-2024-20399