www.sygnia.co
Open in
urlscan Pro
2606:4700:3108::ac42:286e
Public Scan
URL:
https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
Submission: On July 31 via api from IN — Scanned from DE
Submission: On July 31 via api from IN — Scanned from DE
Form analysis
3 forms found in the DOMhttps://www.sygnia.co/
<form class="addsearch-searchfield" autocomplete="off" role="search" action="https://www.sygnia.co/">
<div class="search-field-wrapper">
<input type="search" value="" name="s" placeholder="Search">
<input class="btn_search" type="submit" value="">
</div>
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3
<form id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3"
class="hs-form-private hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_626a1503-e124-491a-afb9-97447cd0bdef hs-form stacked"
target="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" data-instance-id="626a1503-e124-491a-afb9-97447cd0bdef" data-form-id="1ad9c304-415a-4d9d-ba10-a5145c1db1c3" data-portal-id="8776530"
data-test-id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" class="" placeholder="Enter your Work Email"
for="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar"><span>Work Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1722410086803","formDefinitionUpdatedAt":"1712520639710","lang":"en","embedType":"REGULAR","disableCookieSubmission":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","pageTitle":"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia","pageUrl":"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/","isHubSpotCmsGeneratedPage":false,"hutk":"3eeba6d14f18215d212b203fb7e7abd7","__hsfp":1240600147,"__hssc":"147695848.1.1722410087683","__hstc":"147695848.3eeba6d14f18215d212b203fb7e7abd7.1722410087683.1722410087683.1722410087683.1","formTarget":"#hbspt-form-626a1503-e124-491a-afb9-97447cd0bdef","formInstanceId":"b_subsctibe_content_form_single_sidebar","rumScriptExecuteTime":916,"rumTotalRequestTime":1297.5,"rumTotalRenderTime":1326,"rumServiceResponseTime":381.5,"rumFormRenderTime":28.5,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1722410087690,"originalEmbedContext":{"portalId":"8776530","formId":"1ad9c304-415a-4d9d-ba10-a5145c1db1c3","region":"na1","target":"#hbspt-form-626a1503-e124-491a-afb9-97447cd0bdef","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"b_subsctibe_content_form_single_sidebar","isMobileResponsive":true},"correlationId":"626a1503-e124-491a-afb9-97447cd0bdef","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5697","sourceName":"forms-embed","sourceVersion":"1.5697","sourceVersionMajor":"1","sourceVersionMinor":"5697","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1722410086889,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"onFormReady\",\"onFormSubmit\",\"onFormSubmitted\"]"},{"clientTimestamp":1722410086889,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia\",\"pageUrl\":\"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1722410086890,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1722410087686,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"3eeba6d14f18215d212b203fb7e7abd7\"}"}]}"><iframe
name="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" style="display: none;"></iframe>
</form>
POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3
<form id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3"
class="hs-form-private hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_c9537b1b-f4d6-465d-aeea-c964b99208f3 hs-form stacked"
target="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" data-instance-id="c9537b1b-f4d6-465d-aeea-c964b99208f3" data-form-id="1ad9c304-415a-4d9d-ba10-a5145c1db1c3" data-portal-id="8776530"
data-test-id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" class="" placeholder="Enter your Work Email"
for="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single"><span>Work Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
<div class="load"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1722410086969","formDefinitionUpdatedAt":"1712520639710","lang":"en","embedType":"REGULAR","disableCookieSubmission":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","pageTitle":"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia","pageUrl":"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/","isHubSpotCmsGeneratedPage":false,"hutk":"3eeba6d14f18215d212b203fb7e7abd7","__hsfp":1240600147,"__hssc":"147695848.1.1722410087683","__hstc":"147695848.3eeba6d14f18215d212b203fb7e7abd7.1722410087683.1722410087683.1722410087683.1","formTarget":"#hbspt-form-c9537b1b-f4d6-465d-aeea-c964b99208f3","formInstanceId":"b_subsctibe_content_form_single","rumScriptExecuteTime":916,"rumTotalRequestTime":1468.1999969482422,"rumTotalRenderTime":1523.8999977111816,"rumServiceResponseTime":552.1999969482422,"rumFormRenderTime":55.70000076293945,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1722410087696,"originalEmbedContext":{"portalId":"8776530","formId":"1ad9c304-415a-4d9d-ba10-a5145c1db1c3","region":"na1","target":"#hbspt-form-c9537b1b-f4d6-465d-aeea-c964b99208f3","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"b_subsctibe_content_form_single","isMobileResponsive":true},"correlationId":"c9537b1b-f4d6-465d-aeea-c964b99208f3","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5697","sourceName":"forms-embed","sourceVersion":"1.5697","sourceVersionMajor":"1","sourceVersionMinor":"5697","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1722410087060,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"onFormReady\",\"onFormSubmit\",\"onFormSubmitted\"]"},{"clientTimestamp":1722410087060,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia\",\"pageUrl\":\"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1722410087061,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1722410087691,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"3eeba6d14f18215d212b203fb7e7abd7\"}"}]}"><iframe
name="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" style="display: none;"></iframe>
</form>
Text Content
× This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy. If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked. Cookies settings Accept All Decline All * Solutions * Services * Cyber readiness * Know * Posture enhancement * Secure design * M&A assessment * Prepare * Incident response retainer * Ransomware readiness * Crisis preparedness & contingency planning * Simulate * Red teaming * Purple teaming * Tabletop wargames * Detect * Continuous monitoring (MXDR) * Advanced monitoring * Threat hunting & compromise assessment * Cyber response * Respond & Recover * Incident response * Technologies * Velocity XDR * Enterprise Solutions * OT security * Cloud security * Ransomware readiness * Company * About us * Story and values * Leadership * Press releases * Our Clients * Case studies * Careers * Open Positions * Knowledge Center * All resources * Blog * Threat reports & advisories * Guides and tools * Newsroom I’m under attack Contact us I’m under attack * Solutions * Services * Cyber readiness * Know * Posture enhancement * Secure design * M&A assessment * Prepare * Incident response retainer * Ransomware readiness * Crisis preparedness & contingency planning * Simulate * Red teaming * Purple teaming * Tabletop wargames * Detect * Continuous monitoring (MXDR) * Advanced monitoring * Threat hunting & compromise assessment * Cyber response * Respond & Recover * Incident response * Technologies * Velocity XDR * Enterprise Solutions * OT security * Cloud security * Ransomware readiness * Company * About us * Story and values * Leadership * Press releases * Our Clients * Case studies * Careers * Open Positions * Knowledge Center * All resources * Blog * Threat reports & advisories * Guides and tools * Newsroom CONTACT US * Home * Blog * The Return of Ghost Emperor’s Demodex THE RETURN OF GHOST EMPEROR’S DEMODEX A Comprehensive Look at the Updated Infection Chain of Ghost Emperor’s Demodex Rootkit. Dor Nizar, Malware Researcher 17 July 2024 CONTENTS * Executive Summary * Introduction * WMIExec * Batch File * PowerShell script * Prints1m.dll - Service DLL * EDR Evasion and Anti-User-Mode Hooking Technique * Shellcode and Reflective loader * Core-Implant * Appendix - IOC EXECUTIVE SUMMARY * In late 2023, Sygnia’s Incident Response team was engaged by a client whose network was compromised and was leveraged to penetrate one of its business partner’s network. * During the investigation, several servers, workstations, and users were found to be compromised by a threat actor who deployed various tools to communicate with a set of C2 servers. * One of these tools was identified as a variant of Demodex, a rootkit previously associated with the threat group known as GhostEmperor. * GhostEmperor is a sophisticated China-nexus threat group known to target mostly South-East Asian telecommunication and government entities, first disclosed by Kaspersky in a blog published in September 2021. * GhostEmperor employs a multi-stage malware to achieve stealth execution and persistence and utilizes several methods to impede analysis process. * Usually, once the threat group gains initial access to the victim’s network by using vulnerabilities such as ProxyLogon, a batch file is executed to initiate the infection chain. * In this blog we describe a new infection chain deployed by GhostEmperor, which includes several loading schemes and various obfuscation techniques utilized by the threat group. INTRODUCTION During Sygnia’s analysis of the forensic findings extracted from the victim’s environment, the team found strong resemblance to the multi-stage tool which was described in Kaspersky’s blog from 2021. However, our investigation yielded some alterations in the infection chain and a slightly different C++ DLL variant. Among these alterations, the variant we analyzed incorporates an EDR evasion technique and uses a reflective loader to execute the Core-Implant. Additionally, we identified the use of different file names and registry keys. The variant we encountered appears to have been compiled in July 2021, suggesting it might be a more recent version than the one originally analyzed by Kaspersky. This blog post focuses on the key differences we identified and analyzed in the infection chain and the loading scheme operations. New Infection Chain Flow Graph Infection Chain: Process Tree Overview WMIEXEC WMIExec is a command-line tool used for executing commands on remote Windows systems through Windows Management Instrumentation (WMI). It is part of the Impacket Toolkit, which is an open-source collection of modules written in Python for programmatically constructing and manipulating network protocols, that is commonly used by threat actors and red teams. During our investigation, we observed that the threat actor used this tool to run a batch file, initiating the infection chain on the victim’s compromised machine. The output logs were saved to a file located at c:\windows\temp using a local SMB path. The following command was executed: cmd.exe /Q /c c:\windows\vss\1.bat > \127.0.0.1\C$\Windows\Temp[generated_string] 2>&1 Snippet showcasing the WMIExec command being executed on a victim machine with batch script ‘1.bat’ BATCH FILE The batch file starts the infection by installing the malware and obtaining persistency by the following actions: It starts by dropping a CAB file named “1.cab” to C:\Windows\Web. CAB is a compressed archive format commonly utilized in Windows to bundle multiple files. The batch file then uses expand.exe – a native Windows tool used for file extraction from compressed Cabinet files (.cab), to extract these four files: * prints1m.dll – Service DLL. * Service.ps1 – encrypted Powershell. * config.REG – registry dump of AES decryption key. * AesedMemoryBinX64.REG – registry dump of AES-encrypted shellcode containing the Core-Implant. Next, the batch file imports the two registry files using the reg.exe import [file] command to set two registry keys with encrypted values, which will be used later to execute the next stage. Snippet from Registry Explorer showcasing the embedded payload stored in the registry value ‘inputlog’. The threat actor employs several LOLBins such as reg.exe and expand.exe within the batch file to achieve stealthiness as they are legitimate and signed Microsoft built-in tools which do not arouse any suspicion. The Batch file proceeds and executes an encrypted PowerShell script, passing a decryption key as a parameter. This script contains an encrypted blob, which, once decrypted using the provided key, reveals another PowerShell script that is executed. A command line executing the PowerShell script and the decryption argument POWERSHELL SCRIPT The decrypted PowerShell script creates a new service named “WdiSystem” that loads the malicious Service DLL (prints1m.dll). It also creates a service group called “WdiSystemhost” and runs the malicious service within this group. By running the malicious service within the context of the “WdiSystemhost” service group, the threat actor masquerades the malware’s execution as a legitimate Windows system process, as it resembles the authentic and legitimate WdiSystemHost (“Windows Diagnostic System Host” service). Rogue “WdiSystemhost” service in process list To accomplish this technique, the script carries out the following steps: * Creates a service by invoking the New-Service PowerShell command with svchost.exe as the binary path of the service. * Creates a service group named “WdiSystemhost” by adding a new registry key in HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentCersion\SvcHost: Registry view of service groups managed by svchost The lowercase “host” in the name suggests it is a rogue version. The original name is “WdiSystemHost” * Wires the malicious service DLL (prints1m.dll) to the service by setting a “ServiceDll” registry key with the DLL’s path as the value, located in HKLM:\SYSTEM\CurrentControlSet\Services\WdiSystem\Parameters. Registry view of the key that dictates the DLL associated with the malware’s service. * Runs the service by invoking the Start-Service PowerShell command. * Launches the malicious service DLL (prints1m.dll) as a service which is executed within the service group. The PowerShell script after decryption PRINTS1M.DLL – SERVICE DLL This Service DLL dynamically loads all of the necessary functions it requires for operation by navigating through an internal OS structure named Process Environment Block, which contains the already loaded libraries and functions in the process. The Kernel32 library, loaded by default in every process, is used by the malware to access the LoadLibraryA function, which is responsible for loading DLLs into the process. Subsequently, an encrypted configuration located at the DLL’s data section (offset 0x4050) is decrypted using a custom decryption scheme, which contains the following parameters: * Initial sleep time. * Registry paths of the shellcode location (which was established by the batch file). * A list of module and function names required for operation (offset 0x45F0). The service uses this list to create an in-memory Import Address Table, loading the modules it requires using the LoadLibraryA function, and traverses each module’s export table to obtain the necessary functions. Part of service’s code to dynamically load necessary functions Memory view of the decrypted configuration, showing the list of functions Memory view of the decrypted configuration, showing the path of the encrypted shellcode After setting up an anti-hooking technique (which will be described in the next section), the service initiates the next stage by spawning a new thread. It then sleeps for 15 seconds before attempting to decrypt and execute the next stage, which is retrieved from the registry keys set by the batch file. In case of failure, it retries at intervals of 30 to 60 seconds until successful execution is achieved. Snippet of code showing the decryption loop EDR EVASION AND ANTI-USER-MODE HOOKING TECHNIQUE Antivirus and EDR solutions typically inject DLLs into the address space of running applications to facilitate user-mode hooking, thus identifying and preventing malicious activity within the processes. During our investigation we observed that the threat actor added an evasion technique to the Service DLL by setting a specific mitigation policy to the process: Calling SetMitigationPolicy with ProcessSignaturePolicy as parameter to set the mitigation policy Mitigation policies, such as ASLR, DEP and CFG, are security measures implemented by the OS to mitigate attacks and vulnerabilities such as Buffer Overflows and Code Injections. Some of these mitigation policies are enabled in the process by default. In our investigation, the threat actor set up a particular mitigation named “ProcessSignaturePolicy” which forbid loading DLLs that are not signed by Microsoft to the process. This means that any security solution trying to inject a DLL not signed by Microsoft will fail to do so. This technique helps circumvent analysis tools by limiting user-mode hooking. Service’s mitigation policies The fact that many antivirus vendors employ DLLs with a legitimate Microsoft signature, and that some security solutions inject their DLLs prior to the invocation of SetProcessMitigationPolicy, limits the effectiveness of this method. SHELLCODE AND REFLECTIVE LOADER The Service DLL reads two encrypted registry keys that were set by the batch file: “AKey” – an AES decryption key “inputlog” – an AES-encrypted shellcode containing the core-implant. Snippet from Sandbox execution of the threat actor’s malicious service showing the read activity performed by the service of the two registry keys The service employs the AES algorithm to decrypt the encrypted shellcode retrieved from the “inputlog” registry key. It sets the decryption key from the “AKey” value and uses a null byte array as the Initialization Vector (IV). The shellcode consists of a Position-Independent shellcode functioning as a reflective loader, alongside a corrupted Portable Executable (PE) file, positioned at offset 0x4000. Certain headers within the PE file have been deliberately stripped to enhance resistance to analysis and detection. Specifically, the “MZ” and “PE” headers have been nullified, and the DOS Stub has been removed. Jump\trampoline at the Start of the shellcode Corrupted PE file located at offset 0x4000 The shellcode loads the core-implant DLL using a reflective loader which performs the following steps: * Allocates memory for the core-implant DLL. * Parses the custom PE headers of the core-implant. * Moves each section to its proper location in the allocated memory. Code snippet parsing DLL sections and relocating them to the appropriate memory locations * Performs relocation of the code and data sections to match the new base address. * Resolves the import table. * Sets proper memory protections. Code snippet applying correct protections for each section * Executes the now-ready Core-Implant by calling its Entry Point. CORE-IMPLANT The Core-Implant handles two main tasks – managing Command and Control (C2) communication and installing the Demodex kernel rootkit. To load Demodex, the threat actor had to bypass the Driver Signature Enforcement (DSE) security feature, which blocks unsigned drivers. To do that, the threat actor leveraged “Cheat Engine”, an open-source tool used for video game cheating, and utilized its signed driver, dbk64.sys, to manipulate memory and execute code in kernel space. the threat actor used this driver to map and execute a shellcode in kernel space which patches the IOCTL Dispatcher of the dbk64.sys driver. This modification adds functionality to the driver that enables it to load the Demodex driver. An analysis of the Core-Implant’s metadata shows that the threat actor modified the compilation and export-table timestamp of the Core-Implant to 12 Feb 2016. However, the timestamp of the debug section is set to 02 July 2021, which might indicate that this is the actual time this implant was created. Core-Implant’s timestamps retrieved from PE Studio APPENDIX – IOC DescriptionHashService DLL – prints1m.dllMD5: 4bb191c6d3a234743ace703d7d518f8f SHA1: 43f1c44fa14f9ce2c0ba9451de2f7d3dd1a208dePowerShell script – service.ps1MD5: 95e3312de43c1da4cc3be8fa47ab9fa4 SHA1: a59cca28205eeb94c331010060f86ad2f3d41882Cheat Engine driver – dbk64.sysMD5: d8ebfd26bed0155e7c4ec2ca429c871d SHA1: bab2ae2788dee2c41065850b2877202e57369f37C2 Domainimap.dateupdata[.]comC2 IP193.239.86.168 CONTENTS * Executive Summary * Introduction * WMIExec * Batch File * PowerShell script * Prints1m.dll - Service DLL * EDR Evasion and Anti-User-Mode Hooking Technique * Shellcode and Reflective loader * Core-Implant * Appendix - IOC related articles Sygnia Recognized for the Third Consecutive Year in The Gartner 2024 Market Guide for Digital Forensics and Incident Response Retainer Services 10 July 2024 China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response 1 July 2024 China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence 3 June 2024 Navigating the Digital Minefield 20 May 2024 NEWSLETTER SIGNUP Keep up to date with our weekly digest of articles. Work Email* By clicking Subscribe, I agree to the use of my personal data in accordance with Sygnia Privacy Policy. Sygnia will not sell, trade, lease, or rent your personal data to third parties. 2024 GARTNER® MARKET GUIDE FOR DFIR RETAINER SERVICES Download Complimentary Copy RELATED ARTICLES Blog SYGNIA RECOGNIZED FOR THE THIRD CONSECUTIVE YEAR IN THE GARTNER 2024 MARKET GUIDE FOR DIGITAL FORENSICS AND INCIDENT RESPONSE RETAINER SERVICES In June, Sygnia, was named a Representative Vendor in the 2024 Gartner® Market Guide for Digital Forensics and Incident Response Retainer Services (DFIR). Read more Threat Reports and Advisories CHINA-NEXUS THREAT GROUP ‘VELVET ANT’ EXPLOITS CISCO ZERO-DAY (CVE-2024-20399) TO COMPROMISE NEXUS SWITCH DEVICES – ADVISORY FOR MITIGATION AND RESPONSE Learn about the forensic investigation by Sygnia, the cyber espionage operation by Velvet Ant, and best practices for safeguarding your network against sophisticated threats. Read more Blog CHINA-NEXUS THREAT GROUP ‘VELVET ANT’ ABUSES F5 LOAD BALANCERS FOR PERSISTENCE Discover the detailed forensic investigation by Sygnia into the sophisticated cyber attack by Velvet Ant on a major organization. Read more Want to get in touch? Contact us Subscribe to newsletter Work Email* By clicking Subscribe, I agree to the use of my personal data in accordance with Sygnia Privacy Policy. Sygnia will not sell, trade, lease, or rent your personal data to third parties. Company * About * Careers Services * Know * Prepare * Simulate * Detect * Respond & Recover Technologies * Velocity XDR Enterprise Solutions * OT Security * Cloud Security * Ransomware Readiness Knowledge Center * Blog * Reports and advisories Copyright © 2024 Sygnia Consulting Ltd. All rights reserved. * Privacy * Terms of use