www.sygnia.co
Open in
urlscan Pro
2606:4700:3108::ac42:286e
Public Scan
URL:
https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/
Submission: On July 31 via api from IN — Scanned from DE
Submission: On July 31 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
https://www.sygnia.co/
<form class="addsearch-searchfield" autocomplete="off" role="search" action="https://www.sygnia.co/">
<div class="search-field-wrapper">
<input type="search" value="" name="s" placeholder="Search">
<input class="btn_search" type="submit" value="">
</div>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3
<form id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3"
class="hs-form-private hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_626a1503-e124-491a-afb9-97447cd0bdef hs-form stacked"
target="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" data-instance-id="626a1503-e124-491a-afb9-97447cd0bdef" data-form-id="1ad9c304-415a-4d9d-ba10-a5145c1db1c3" data-portal-id="8776530"
data-test-id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" class="" placeholder="Enter your Work Email"
for="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar"><span>Work Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1722410086803","formDefinitionUpdatedAt":"1712520639710","lang":"en","embedType":"REGULAR","disableCookieSubmission":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","pageTitle":"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia","pageUrl":"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/","isHubSpotCmsGeneratedPage":false,"hutk":"3eeba6d14f18215d212b203fb7e7abd7","__hsfp":1240600147,"__hssc":"147695848.1.1722410087683","__hstc":"147695848.3eeba6d14f18215d212b203fb7e7abd7.1722410087683.1722410087683.1722410087683.1","formTarget":"#hbspt-form-626a1503-e124-491a-afb9-97447cd0bdef","formInstanceId":"b_subsctibe_content_form_single_sidebar","rumScriptExecuteTime":916,"rumTotalRequestTime":1297.5,"rumTotalRenderTime":1326,"rumServiceResponseTime":381.5,"rumFormRenderTime":28.5,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1722410087690,"originalEmbedContext":{"portalId":"8776530","formId":"1ad9c304-415a-4d9d-ba10-a5145c1db1c3","region":"na1","target":"#hbspt-form-626a1503-e124-491a-afb9-97447cd0bdef","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"b_subsctibe_content_form_single_sidebar","isMobileResponsive":true},"correlationId":"626a1503-e124-491a-afb9-97447cd0bdef","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5697","sourceName":"forms-embed","sourceVersion":"1.5697","sourceVersionMajor":"1","sourceVersionMinor":"5697","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1722410086889,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"onFormReady\",\"onFormSubmit\",\"onFormSubmitted\"]"},{"clientTimestamp":1722410086889,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia\",\"pageUrl\":\"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1722410086890,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1722410087686,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"3eeba6d14f18215d212b203fb7e7abd7\"}"}]}"><iframe
name="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single_sidebar" style="display: none;"></iframe>
</form>POST https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3
<form id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" method="POST" accept-charset="UTF-8" enctype="multipart/form-data" novalidate=""
action="https://forms.hsforms.com/submissions/v3/public/submit/formsnext/multipart/8776530/1ad9c304-415a-4d9d-ba10-a5145c1db1c3"
class="hs-form-private hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3 hs-form-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_c9537b1b-f4d6-465d-aeea-c964b99208f3 hs-form stacked"
target="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" data-instance-id="c9537b1b-f4d6-465d-aeea-c964b99208f3" data-form-id="1ad9c304-415a-4d9d-ba10-a5145c1db1c3" data-portal-id="8776530"
data-test-id="hsForm_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single">
<div class="hs_email hs-email hs-fieldtype-text field hs-form-field"><label id="label-email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" class="" placeholder="Enter your Work Email"
for="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single"><span>Work Email</span><span class="hs-form-required">*</span></label>
<legend class="hs-field-desc" style="display: none;"></legend>
<div class="input"><input id="email-1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" name="email" required="" placeholder="" type="email" class="hs-input" inputmode="email" autocomplete="email" value=""></div>
</div>
<div class="hs_submit hs-submit">
<div class="hs-field-desc" style="display: none;"></div>
<div class="actions"><input type="submit" class="hs-button primary large" value="Submit"></div>
<div class="load"></div>
</div><input name="hs_context" type="hidden"
value="{"embedAtTimestamp":"1722410086969","formDefinitionUpdatedAt":"1712520639710","lang":"en","embedType":"REGULAR","disableCookieSubmission":"true","renderRawHtml":"true","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36","pageTitle":"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia","pageUrl":"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/","isHubSpotCmsGeneratedPage":false,"hutk":"3eeba6d14f18215d212b203fb7e7abd7","__hsfp":1240600147,"__hssc":"147695848.1.1722410087683","__hstc":"147695848.3eeba6d14f18215d212b203fb7e7abd7.1722410087683.1722410087683.1722410087683.1","formTarget":"#hbspt-form-c9537b1b-f4d6-465d-aeea-c964b99208f3","formInstanceId":"b_subsctibe_content_form_single","rumScriptExecuteTime":916,"rumTotalRequestTime":1468.1999969482422,"rumTotalRenderTime":1523.8999977111816,"rumServiceResponseTime":552.1999969482422,"rumFormRenderTime":55.70000076293945,"connectionType":"4g","firstContentfulPaint":0,"largestContentfulPaint":0,"locale":"en","timestamp":1722410087696,"originalEmbedContext":{"portalId":"8776530","formId":"1ad9c304-415a-4d9d-ba10-a5145c1db1c3","region":"na1","target":"#hbspt-form-c9537b1b-f4d6-465d-aeea-c964b99208f3","isBuilder":false,"isTestPage":false,"isPreview":false,"formInstanceId":"b_subsctibe_content_form_single","isMobileResponsive":true},"correlationId":"c9537b1b-f4d6-465d-aeea-c964b99208f3","renderedFieldsIds":["email"],"captchaStatus":"NOT_APPLICABLE","emailResubscribeStatus":"NOT_APPLICABLE","isInsideCrossOriginFrame":false,"source":"forms-embed-1.5697","sourceName":"forms-embed","sourceVersion":"1.5697","sourceVersionMajor":"1","sourceVersionMinor":"5697","allPageIds":{},"_debug_embedLogLines":[{"clientTimestamp":1722410087060,"level":"INFO","message":"Retrieved customer callbacks used on embed context: [\"onFormReady\",\"onFormSubmit\",\"onFormSubmitted\"]"},{"clientTimestamp":1722410087060,"level":"INFO","message":"Retrieved pageContext values which may be overriden by the embed context: {\"pageTitle\":\"Ghost Emperor Hacker Uses Demodex Rootkit to Attack | Sygnia\",\"pageUrl\":\"https://www.sygnia.co/blog/ghost-emperor-demodex-rootkit/\",\"userAgent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36\",\"isHubSpotCmsGeneratedPage\":false}"},{"clientTimestamp":1722410087061,"level":"INFO","message":"Retrieved countryCode property from normalized embed definition response: \"DE\""},{"clientTimestamp":1722410087691,"level":"INFO","message":"Retrieved analytics values from API response which may be overriden by the embed context: {\"hutk\":\"3eeba6d14f18215d212b203fb7e7abd7\"}"}]}"><iframe
name="target_iframe_1ad9c304-415a-4d9d-ba10-a5145c1db1c3_b_subsctibe_content_form_single" style="display: none;"></iframe>
</form>Text Content
×
This website stores cookies on your computer. These cookies are used to collect
information about how you interact with our website and allow us to remember
you. We use this information in order to improve and customize your browsing
experience and for analytics and metrics about our visitors both on this website
and other media. To find out more about the cookies we use, see our Privacy
Policy.
If you decline, your information won’t be tracked when you visit this website. A
single cookie will be used in your browser to remember your preference not to be
tracked.
Cookies settings
Accept All Decline All
* Solutions
* Services
* Cyber readiness
* Know
* Posture enhancement
* Secure design
* M&A assessment
* Prepare
* Incident response retainer
* Ransomware readiness
* Crisis preparedness & contingency planning
* Simulate
* Red teaming
* Purple teaming
* Tabletop wargames
* Detect
* Continuous monitoring (MXDR)
* Advanced monitoring
* Threat hunting & compromise assessment
* Cyber response
* Respond & Recover
* Incident response
* Technologies
* Velocity XDR
* Enterprise Solutions
* OT security
* Cloud security
* Ransomware readiness
* Company
* About us
* Story and values
* Leadership
* Press releases
* Our Clients
* Case studies
* Careers
* Open Positions
* Knowledge Center
* All resources
* Blog
* Threat reports & advisories
* Guides and tools
* Newsroom
I’m under attack
Contact us
I’m under attack
* Solutions
* Services
* Cyber readiness
* Know
* Posture enhancement
* Secure design
* M&A assessment
* Prepare
* Incident response retainer
* Ransomware readiness
* Crisis preparedness & contingency planning
* Simulate
* Red teaming
* Purple teaming
* Tabletop wargames
* Detect
* Continuous monitoring (MXDR)
* Advanced monitoring
* Threat hunting & compromise assessment
* Cyber response
* Respond & Recover
* Incident response
* Technologies
* Velocity XDR
* Enterprise Solutions
* OT security
* Cloud security
* Ransomware readiness
* Company
* About us
* Story and values
* Leadership
* Press releases
* Our Clients
* Case studies
* Careers
* Open Positions
* Knowledge Center
* All resources
* Blog
* Threat reports & advisories
* Guides and tools
* Newsroom
CONTACT US
* Home
* Blog
* The Return of Ghost Emperor’s Demodex
THE RETURN OF GHOST EMPEROR’S DEMODEX
A Comprehensive Look at the Updated Infection Chain of Ghost Emperor’s Demodex
Rootkit.
Dor Nizar, Malware Researcher
17 July 2024
CONTENTS
* Executive Summary
* Introduction
* WMIExec
* Batch File
* PowerShell script
* Prints1m.dll - Service DLL
* EDR Evasion and Anti-User-Mode Hooking Technique
* Shellcode and Reflective loader
* Core-Implant
* Appendix - IOC
EXECUTIVE SUMMARY
* In late 2023, Sygnia’s Incident Response team was engaged by a client whose
network was compromised and was leveraged to penetrate one of its business
partner’s network.
* During the investigation, several servers, workstations, and users were found
to be compromised by a threat actor who deployed various tools to communicate
with a set of C2 servers.
* One of these tools was identified as a variant of Demodex, a rootkit
previously associated with the threat group known as GhostEmperor.
* GhostEmperor is a sophisticated China-nexus threat group known to target
mostly South-East Asian telecommunication and government entities, first
disclosed by Kaspersky in a blog published in September 2021.
* GhostEmperor employs a multi-stage malware to achieve stealth execution and
persistence and utilizes several methods to impede analysis process.
* Usually, once the threat group gains initial access to the victim’s network
by using vulnerabilities such as ProxyLogon, a batch file is executed to
initiate the infection chain.
* In this blog we describe a new infection chain deployed by GhostEmperor,
which includes several loading schemes and various obfuscation techniques
utilized by the threat group.
INTRODUCTION
During Sygnia’s analysis of the forensic findings extracted from the victim’s
environment, the team found strong resemblance to the multi-stage tool which was
described in Kaspersky’s blog from 2021. However, our investigation yielded some
alterations in the infection chain and a slightly different C++ DLL variant.
Among these alterations, the variant we analyzed incorporates an EDR evasion
technique and uses a reflective loader to execute the Core-Implant.
Additionally, we identified the use of different file names and registry keys.
The variant we encountered appears to have been compiled in July 2021,
suggesting it might be a more recent version than the one originally analyzed by
Kaspersky.
This blog post focuses on the key differences we identified and analyzed in the
infection chain and the loading scheme operations.
New Infection Chain Flow Graph Infection Chain: Process Tree Overview
WMIEXEC
WMIExec is a command-line tool used for executing commands on remote Windows
systems through Windows Management Instrumentation (WMI).
It is part of the Impacket Toolkit, which is an open-source collection of
modules written in Python for programmatically constructing and manipulating
network protocols, that is commonly used by threat actors and red teams.
During our investigation, we observed that the threat actor used this tool to
run a batch file, initiating the infection chain on the victim’s compromised
machine. The output logs were saved to a file located at c:\windows\temp using a
local SMB path. The following command was executed:
cmd.exe /Q /c c:\windows\vss\1.bat >
\127.0.0.1\C$\Windows\Temp[generated_string] 2>&1
Snippet showcasing the WMIExec command being executed on a victim machine with
batch script ‘1.bat’
BATCH FILE
The batch file starts the infection by installing the malware and obtaining
persistency by the following actions:
It starts by dropping a CAB file named “1.cab” to C:\Windows\Web. CAB is a
compressed archive format commonly utilized in Windows to bundle multiple files.
The batch file then uses expand.exe – a native Windows tool used for file
extraction from compressed Cabinet files (.cab), to extract these four files:
* prints1m.dll – Service DLL.
* Service.ps1 – encrypted Powershell.
* config.REG – registry dump of AES decryption key.
* AesedMemoryBinX64.REG – registry dump of AES-encrypted shellcode containing
the Core-Implant.
Next, the batch file imports the two registry files using the reg.exe import
[file] command to set two registry keys with encrypted values, which will be
used later to execute the next stage.
Snippet from Registry Explorer showcasing the embedded payload stored in the
registry value ‘inputlog’.
The threat actor employs several LOLBins such as reg.exe and expand.exe within
the batch file to achieve stealthiness as they are legitimate and signed
Microsoft built-in tools which do not arouse any suspicion.
The Batch file proceeds and executes an encrypted PowerShell script, passing a
decryption key as a parameter. This script contains an encrypted blob, which,
once decrypted using the provided key, reveals another PowerShell script that is
executed.
A command line executing the PowerShell script and the decryption argument
POWERSHELL SCRIPT
The decrypted PowerShell script creates a new service named “WdiSystem” that
loads the malicious Service DLL (prints1m.dll). It also creates a service group
called “WdiSystemhost” and runs the malicious service within this group. By
running the malicious service within the context of the “WdiSystemhost” service
group, the threat actor masquerades the malware’s execution as a legitimate
Windows system process, as it resembles the authentic and legitimate
WdiSystemHost (“Windows Diagnostic System Host” service).
Rogue “WdiSystemhost” service in process list
To accomplish this technique, the script carries out the following steps:
* Creates a service by invoking the New-Service PowerShell command with
svchost.exe as the binary path of the service.
* Creates a service group named “WdiSystemhost” by adding a new registry key in
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentCersion\SvcHost:
Registry view of service groups managed by svchost
The lowercase “host” in the name suggests it is a rogue version. The original
name is “WdiSystemHost”
* Wires the malicious service DLL (prints1m.dll) to the service by setting a
“ServiceDll” registry key with the DLL’s path as the value, located in
HKLM:\SYSTEM\CurrentControlSet\Services\WdiSystem\Parameters.
Registry view of the key that dictates the DLL associated with the malware’s
service.
* Runs the service by invoking the Start-Service PowerShell command.
* Launches the malicious service DLL (prints1m.dll) as a service which is
executed within the service group.
The PowerShell script after decryption
PRINTS1M.DLL – SERVICE DLL
This Service DLL dynamically loads all of the necessary functions it requires
for operation by navigating through an internal OS structure named Process
Environment Block, which contains the already loaded libraries and functions in
the process.
The Kernel32 library, loaded by default in every process, is used by the malware
to access the LoadLibraryA function, which is responsible for loading DLLs into
the process.
Subsequently, an encrypted configuration located at the DLL’s data section
(offset 0x4050) is decrypted using a custom decryption scheme, which contains
the following parameters:
* Initial sleep time.
* Registry paths of the shellcode location (which was established by the batch
file).
* A list of module and function names required for operation (offset 0x45F0).
The service uses this list to create an in-memory Import Address Table, loading
the modules it requires using the LoadLibraryA function, and traverses each
module’s export table to obtain the necessary functions.
Part of service’s code to dynamically load necessary functions Memory view of
the decrypted configuration, showing the list of functions Memory view of the
decrypted configuration, showing the path of the encrypted shellcode
After setting up an anti-hooking technique (which will be described in the next
section), the service
initiates the next stage by spawning a new thread. It then sleeps for 15 seconds
before attempting to decrypt and execute the next stage, which is retrieved from
the registry keys set by the batch file. In case of failure, it retries at
intervals of 30 to 60 seconds until successful execution is achieved.
Snippet of code showing the decryption loop
EDR EVASION AND ANTI-USER-MODE HOOKING TECHNIQUE
Antivirus and EDR solutions typically inject DLLs into the address space of
running applications to facilitate user-mode hooking, thus identifying and
preventing malicious activity within the processes.
During our investigation we observed that the threat actor added an evasion
technique to the Service DLL by setting a specific mitigation policy to the
process:
Calling SetMitigationPolicy with ProcessSignaturePolicy as parameter to set the
mitigation policy
Mitigation policies, such as ASLR, DEP and CFG, are security measures
implemented by the OS to mitigate attacks and vulnerabilities such as Buffer
Overflows and Code Injections. Some of these mitigation policies are enabled in
the process by default. In our investigation, the threat actor set up a
particular mitigation named “ProcessSignaturePolicy” which forbid loading DLLs
that are not signed by Microsoft to the process.
This means that any security solution trying to inject a DLL not signed by
Microsoft will fail to do so. This technique helps circumvent analysis tools by
limiting user-mode hooking.
Service’s mitigation policies
The fact that many antivirus vendors employ DLLs with a legitimate Microsoft
signature, and that some security solutions inject their DLLs prior to the
invocation of SetProcessMitigationPolicy, limits the effectiveness of this
method.
SHELLCODE AND REFLECTIVE LOADER
The Service DLL reads two encrypted registry keys that were set by the batch
file:
“AKey” – an AES decryption key
“inputlog” – an AES-encrypted shellcode containing the core-implant.
Snippet from Sandbox execution of the threat actor’s malicious service showing
the read activity performed by the service of the two registry keys
The service employs the AES algorithm to decrypt the encrypted shellcode
retrieved from the “inputlog” registry key. It sets the decryption key from the
“AKey” value and uses a null byte array as the Initialization Vector (IV). The
shellcode consists of a Position-Independent shellcode functioning as a
reflective loader, alongside a corrupted Portable Executable (PE) file,
positioned at offset 0x4000. Certain headers within the PE file have been
deliberately stripped to enhance resistance to analysis and detection.
Specifically, the “MZ” and “PE” headers have been nullified, and the DOS Stub
has been removed.
Jump\trampoline at the Start of the shellcode Corrupted PE file located at
offset 0x4000
The shellcode loads the core-implant DLL using a reflective loader which
performs the following steps:
* Allocates memory for the core-implant DLL.
* Parses the custom PE headers of the core-implant.
* Moves each section to its proper location in the allocated memory.
Code snippet parsing DLL sections and relocating them to the appropriate memory
locations
* Performs relocation of the code and data sections to match the new base
address.
* Resolves the import table.
* Sets proper memory protections.
Code snippet applying correct protections for each section
* Executes the now-ready Core-Implant by calling its Entry Point.
CORE-IMPLANT
The Core-Implant handles two main tasks – managing Command and Control (C2)
communication and installing the Demodex kernel rootkit. To load Demodex, the
threat actor had to bypass the Driver Signature Enforcement (DSE) security
feature, which blocks unsigned drivers.
To do that, the threat actor leveraged “Cheat Engine”, an open-source tool used
for video game cheating, and utilized its signed driver, dbk64.sys, to
manipulate memory and execute code in kernel space. the threat actor used this
driver to map and execute a shellcode in kernel space which patches the IOCTL
Dispatcher of the dbk64.sys driver. This modification adds functionality to the
driver that enables it to load the Demodex driver.
An analysis of the Core-Implant’s metadata shows that the threat actor modified
the compilation and export-table timestamp of the Core-Implant to 12 Feb 2016.
However, the timestamp of the debug section is set to 02 July 2021, which might
indicate that this is the actual time this implant was created.
Core-Implant’s timestamps retrieved from PE Studio
APPENDIX – IOC
DescriptionHashService DLL – prints1m.dllMD5: 4bb191c6d3a234743ace703d7d518f8f
SHA1: 43f1c44fa14f9ce2c0ba9451de2f7d3dd1a208dePowerShell script –
service.ps1MD5: 95e3312de43c1da4cc3be8fa47ab9fa4
SHA1: a59cca28205eeb94c331010060f86ad2f3d41882Cheat Engine driver –
dbk64.sysMD5: d8ebfd26bed0155e7c4ec2ca429c871d
SHA1: bab2ae2788dee2c41065850b2877202e57369f37C2 Domainimap.dateupdata[.]comC2
IP193.239.86.168
CONTENTS
* Executive Summary
* Introduction
* WMIExec
* Batch File
* PowerShell script
* Prints1m.dll - Service DLL
* EDR Evasion and Anti-User-Mode Hooking Technique
* Shellcode and Reflective loader
* Core-Implant
* Appendix - IOC
related articles
Sygnia Recognized for the Third Consecutive Year in The Gartner 2024 Market
Guide for Digital Forensics and Incident Response Retainer Services
10 July 2024
China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399)
to Compromise Nexus Switch Devices – Advisory for Mitigation and Response
1 July 2024
China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence
3 June 2024
Navigating the Digital Minefield
20 May 2024
NEWSLETTER SIGNUP
Keep up to date with our weekly digest of articles.
Work Email*
By clicking Subscribe, I agree to the use of my personal data in accordance with
Sygnia Privacy Policy. Sygnia will not sell, trade, lease, or rent your personal
data to third parties.
2024 GARTNER® MARKET GUIDE FOR DFIR RETAINER SERVICES
Download Complimentary Copy
RELATED ARTICLES
Blog
SYGNIA RECOGNIZED FOR THE THIRD CONSECUTIVE YEAR IN THE GARTNER 2024 MARKET
GUIDE FOR DIGITAL FORENSICS AND INCIDENT RESPONSE RETAINER SERVICES
In June, Sygnia, was named a Representative Vendor in the 2024 Gartner® Market
Guide for Digital Forensics and Incident Response Retainer Services (DFIR).
Read more
Threat Reports and Advisories
CHINA-NEXUS THREAT GROUP ‘VELVET ANT’ EXPLOITS CISCO ZERO-DAY (CVE-2024-20399)
TO COMPROMISE NEXUS SWITCH DEVICES – ADVISORY FOR MITIGATION AND RESPONSE
Learn about the forensic investigation by Sygnia, the cyber espionage operation
by Velvet Ant, and best practices for safeguarding your network against
sophisticated threats.
Read more
Blog
CHINA-NEXUS THREAT GROUP ‘VELVET ANT’ ABUSES F5 LOAD BALANCERS FOR PERSISTENCE
Discover the detailed forensic investigation by Sygnia into the sophisticated
cyber attack by Velvet Ant on a major organization.
Read more
Want to get in touch?
Contact us
Subscribe to newsletter
Work Email*
By clicking Subscribe, I agree to the use of my personal data in accordance with
Sygnia Privacy Policy. Sygnia will not sell, trade, lease, or rent your personal
data to third parties.
Company
* About
* Careers
Services
* Know
* Prepare
* Simulate
* Detect
* Respond & Recover
Technologies
* Velocity XDR
Enterprise Solutions
* OT Security
* Cloud Security
* Ransomware Readiness
Knowledge Center
* Blog
* Reports and advisories
Copyright © 2024 Sygnia Consulting Ltd. All rights reserved.
* Privacy
* Terms of use