Days after Microsoft patched a set of four vulnerabilities in Exchange Server in March, a previously unknown Chinese-speaking threat actor used them to deploy an advanced malware toolset on systems belonging to government agencies, telecom firms, and other high-profile victims, mostly in Southeast Asia.
The campaign was one of several involving China-based advanced persistent threat (APT) actors that security vendor Kaspersky observed attacking targets around the world during the second quarter. Cyberattacks involving Chinese APT groups have received a lot of attention in recent weeks after the Biden administration formally accused Beijing of using criminal groups to carry out commercial espionage and other malicious activities against US and allied targets.
Kaspersky says it stumbled across the new threat actor — who it is tracking as GhostEmperor — while investigating a rash of attacks against the Microsoft Exchange vulnerabilities, collectively called ProxyLogon, earlier this year.
The threat actor's activity stood out because it involved the use of a previously unknown Windows kernel-level rootkit and a unique method to load it by bypassing the Windows Driver Signature Enforcement mechanism using a component of an open source tool called "Cheat Engine."
According to Kaspersky, the multistage malware framework that GhostEmperor used in the attacks was sophisticated and designed to give the attacker complete remote control over compromised servers. The malware bore no similarity to anything that Kaspersky had tracked before and appeared to have been in use since at least July 2020, the vendor said.
"Cheat Engine is a program used for cheating in video games by providing the user with tools to edit the game’s running memory in order to modify various values in it," says Kaspersky security researcher Ariel Jungheit. For example, gamers can use the tool to modify the extent of damage to weapons or edit their score, player health, available time, and other metrics, he says.
"This program is shipped with a signed driver named ‘dbk64.sys,’ which the actor abused ultimately to load the rootkit," he adds.
Jungheit says Kaspersky has observed GhostEmperor gaining a foothold on public-facing servers at organizations using the Microsoft Exchange vulnerabilities. However, the group has used multiple other initial infection vectors as well.
"Based on our observations, we suspect that the ProxyLogon vulnerability was opportunistically used in some cases," Jungheit says. The threat actor's goal appears to be to maintain persistence within target environments to conduct espionage.
Multiple Threat Groups
GhostEmperor is just one of several threat groups that have targeted the Microsoft Exchange flaws. The most notable is Hafnium, a China-backed threat actor that exploited the vulnerabilities in targeted attacks against US organizations even before patches were available for them. After news of the flaws become public, several threat groups began targeting them, causing broad concern over widespread compromises in the US and elsewhere. The concerns also prompted the FBI to take the unprecedented step of proactively removing malicious Web shells that threat actors deployed on Exchange servers — without always notifying owners of those servers of the action first.
In addition to GhostEmperor, Kaspersky tracked several other Chinese-speaking APT groups engaged in attacks against targets worldwide during the second quarter.
One was APT31 aka ZIRCONIUM, a cyber espionage group thought to be backed by the Chinese government that has been associated with numerous attacks on government organizations, financial institutions, defense and aerospace, and entities in several other critical sectors. Last quarter, Kaspersky observed the threat actor setting up a new attack infrastructure consisting of compromised SOHO routers to target organizations in Europe. The security vendor described APT31 as using the infrastructure to communicate with Cobalt Strike post-exploit attack kits on infected systems.
Another Chinese-speaking APT group that Kaspersky tracked was BountyClad, a threat actor that compromised a certificate authority in Mongolia in February and replaced its digital certificate management client with a malicious downloader. Kaspersky says it observed the group associated with other activities, including server-side attacks on WebSphere and WebLogic in Hong Kong. At least some of the infrastructure the group was seen using has been associated with attacks that targeted US organizations conducting COVID-19 research last May.
"As we have seen before, the activities of APT threat groups can combine focused development of highly sophisticated tools alongside opportunism – the former when required to achieve their aims, the latter when they can do the same without investing heavily in advanced technologies," says David Emm, security researcher at Kaspersky.