July 24, 2024 at 12:06PM
The GhostEmperor threat group, initially identified by Kaspersky in 2021, saw a potential resurgence in a 2023 compromise investigated by Sygnia. They associated the new compromise with similarities in infection chains and the use of the Demodex rootkit. However, uncertainty remains whether this represents the return of GhostEmperor or a new actor. The primary objective appeared to be targeting the victim’s business partners.
Based on the meeting notes, the threat group GhostEmperor, identified by Kaspersky in 2021, has resurfaced in an investigation by Sygnia which associates a compromise to GhostEmperor based on similarities with the infection chain and the use of the Demodex rootkit. The compromise involves the use of WMIExec to initiate the infection chain, dropping an encrypted CAB file, editing the registry for persistence, and leveraging legitimate Windows tools for stealth. However, despite the similarities, there are enough differences to make Sygnia suggest that it is likely, but not certain, that this represents the return of GhostEmperor.
The time gap between the initial report by Kaspersky and the new compromise investigation, as well as the absence of other sightings of GhostEmperor, raises questions about whether this indicates the return of GhostEmperor or the emergence of a new threat actor. It is noted that the primary purpose of this attack was likely to gain access to the victim’s business partners, potentially for supply chain attacks.
Sygnia has called on the security community to share intelligence to understand the changes and outcomes of this time gap, whether it is due to a lack of activity from GhostEmperor or a lack of visibility into their activities.
Additionally, the meeting notes contain related articles about cybersecurity threats, particularly those associated with Chinese threat actors for further context.
Lastly, the notes mention an invitation for the security community to share intelligence to understand the impact of the time gap and the potential activity of GhostEmperor.